Buffer Overflow Vulnerability in NASA CFITSIO Software
CVE-2019-1010060

9.8CRITICAL

Key Information:

Vendor: Nasa
Status: Cfitsio
Vendor: CVE Published:; 16 July 2019

What is CVE-2019-1010060?

The NASA CFITSIO software, prior to version 3.43, is susceptible to a buffer overflow, enabling potential arbitrary code execution by remote unauthenticated attackers. This vulnerability arises from the mishandling of long strings in over 40 source files, including issues within the ftp_status function in drvrnet.c, which can begin with specific characters like '4'. This vulnerability is distinct from previous issues documented in CVEs 2018-3846 to 2018-3849, emphasizing the need for prompt updates to mitigate risk.

Affected Version(s)

CFITSIO < 3.43 [fixed: 3.43]

References

https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/...

x_refsource_MISC

https://github.com/astropy/astropy/pull/7274

x_refsource_MISC

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892458

x_refsource_MISC

EPSS Score

31% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2019
Vulnerability Reserved
Mar 20, 2019

Nasa

What is CVE-2019-1010060?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline