Integer Overflow in Genivia gSOAP Affects Axis Cameras and Other Devices
CVE-2017-9765

8.1HIGH

Key Information:

Vendor

Genivia

Status
Gsoap
Vendor
CVE Published:
20 July 2017

What is CVE-2017-9765?

A critical integer overflow vulnerability exists in the soap_get function of Genivia gSOAP versions 2.7.x and 2.8.x prior to 2.8.48. This flaw can be exploited by remote attackers to execute arbitrary code or lead to a denial of service on devices utilizing this library, such as Axis cameras. The vulnerability triggers a stack-based buffer overflow when processing large XML documents, potentially resulting in application crashes. Note that many server configurations may mitigate the risk by blocking excessively large documents.

References

https://bugzilla.suse.com/show_bug.cgi?id=1049348
x_refsource_MISC
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-t...
x_refsource_MISC
http://blog.senr.io/devilsivy.html
x_refsource_MISC

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.