Vulnerability-Lookup

CNVD-2019-37732

Vulnerability from cnvd - Published: 2019-10-29

Title

Video_Converter app拒绝服务漏洞

Description

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。Video_Converter app是一款视频文件格式转换器。 Video_Converter app 0.1.0版本中（用于Nextcloud）存在拒绝服务漏洞，该漏洞源于程序会同时运行多个Ffmpeg进程，攻击者可利用该漏洞造成拒绝服务（CPU和内存消耗）。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://nextcloud.com

Reference

https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22

Impacted products

Name
Nextcloud Video_Converter app 0.1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-18214"
    }
  },
  "description": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002Video_Converter app\u662f\u4e00\u6b3e\u89c6\u9891\u6587\u4ef6\u683c\u5f0f\u8f6c\u6362\u5668\u3002\n\nVideo_Converter app 0.1.0\u7248\u672c\u4e2d\uff08\u7528\u4e8eNextcloud\uff09\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f1a\u540c\u65f6\u8fd0\u884c\u591a\u4e2aFfmpeg\u8fdb\u7a0b\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08CPU\u548c\u5185\u5b58\u6d88\u8017\uff09\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://nextcloud.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-37732",
  "openTime": "2019-10-29",
  "products": {
    "product": "Nextcloud Video_Converter app 0.1.0"
  },
  "referenceLink": "https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22",
  "serverity": "\u4e2d",
  "submitTime": "2019-10-21",
  "title": "Video_Converter app\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2019-18214 (GCVE-0-2019-18214)

Vulnerability from cvelistv5 – Published: 2019-10-19 13:32 – Updated: 2024-08-05 01:47

Summary

The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)

Severity ?

7.7 (High)


                        
                          CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:L/S:C/UI:N

CWE

Assigner

mitre

References

URL

Tags

https://github.com/PaulLereverend/NextcloudVideo_…

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:47:14.023Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:L/S:C/UI:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-19T13:32:49.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-18214",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:N/I:N/PR:L/S:C/UI:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22",
              "refsource": "MISC",
              "url": "https://github.com/PaulLereverend/NextcloudVideo_Converter/issues/22"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-18214",
    "datePublished": "2019-10-19T13:32:49.000Z",
    "dateReserved": "2019-10-19T00:00:00.000Z",
    "dateUpdated": "2024-08-05T01:47:14.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-37732

CVE-2019-18214 (GCVE-0-2019-18214)

Tags

Sightings

Nomenclature