Double Free Vulnerability in GDAL Affected by Memory Management Flaw
CVE-2019-17545

9.8CRITICAL

Key Information:

Vendor

Osgeo

Status
Gdal
Vendor
CVE Published:
14 October 2019

What is CVE-2019-17545?

The GDAL library prior to version 3.0.1 is susceptible to a double free vulnerability in the OGRExpatRealloc function located in the ogr_expat.cpp file. This issue arises when the memory allocation exceeds the 10MB threshold, potentially allowing an attacker to manipulate the application’s memory handling, which may lead to arbitrary code execution or application crashes. Users of GDAL are encouraged to update to a patched version to mitigate the risks associated with this vulnerability.

References

https://lists.debian.org/debian-lts-announce/2019/11/msg0...
mailing-listx_refsource_MLIST
http://lists.opensuse.org/opensuse-security-announce/2019...
vendor-advisoryx_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.