Buffer overrun in Google Cloud IoT Device SDK for Embedded C
CVE-2021-22547

6.3MEDIUM

Key Information:

Vendor: Google
Status: Google Cloud Iot Device Sdk For Embedded C
Vendor: CVE Published:; 4 May 2021

What is CVE-2021-22547?

In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.

Affected Version(s)

Google Cloud IoT Device SDK for Embedded C <= 1.0.2

References

https://github.com/GoogleCloudPlatform/iot-device-sdk-emb...

x_refsource_MISC

https://github.com/GoogleCloudPlatform/iot-device-sdk-emb...

x_refsource_MISC

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2021
Vulnerability Reserved
Jan 5, 2021