{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-01-08T00:00:00", "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a \"badly formed number\" and a \"long digit list.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/51"}, {"name": "101851", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/101851"}, {"name": "MDVSA-2014:024", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "GLSA-201702-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201702-06"}, {"name": "[oss-security] 20140108 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/54"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff"}, {"name": "DSA-2843", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2843"}, {"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2014/q1/46"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, {"name": "64737", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64737"}, {"name": "55666", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/56244"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-1236", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a \"badly formed number\" and a \"long digit list.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/51"}, {"name": "101851", "refsource": "OSVDB", "url": "http://osvdb.org/101851"}, {"name": "MDVSA-2014:024", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "GLSA-201702-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201702-06"}, {"name": "[oss-security] 20140108 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/54"}, {"name": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff", "refsource": "CONFIRM", "url": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff"}, {"name": "DSA-2843", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q1/46"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, {"name": "64737", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64737"}, {"name": "55666", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/56244"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:34:41.148Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/51"}, {"name": "101851", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/101851"}, {"name": "MDVSA-2014:024", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"name": "GLSA-201702-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201702-06"}, {"name": "[oss-security] 20140108 Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/54"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff"}, {"name": "DSA-2843", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2843"}, {"name": "[oss-security] 20140108 Re: Re: CVE Request: graphviz: stack-based buffer overflow in yyerror()", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2014/q1/46"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, {"name": "64737", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/64737"}, {"name": "55666", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/55666"}, {"name": "56244", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/56244"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-1236", "datePublished": "2014-01-10T15:00:00", "dateReserved": "2014-01-08T00:00:00", "dateUpdated": "2024-08-06T09:34:41.148Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:graphviz:graphviz:2.34.0:*:*:*:*:*:*:*", "matchCriteriaId": "EC614024-7FE5-4798-997B-84ACA06CD48B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a \"badly formed number\" and a \"long digit list.\""}, {"lang": "es", "value": "Desbordamiento de pila en la funci\u00f3n chkNum de lib/cgraph/scan.l en Graphviz 2.34.0 permite a atacantes remotos tener un impacto no especificado a trav\u00e9s de vectores relacionados con un \"badly formed number\" y \"long digit list\"."}], "id": "CVE-2014-1236", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-10T15:55:06.307", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/101851"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/46"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/51"}, {"source": "cve@mitre.org", "url": "http://seclists.org/oss-sec/2014/q1/54"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55666"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/56244"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/64737"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch"], "url": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201702-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/101851"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q1/46"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q1/51"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2014/q1/54"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/55666"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/56244"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2014/dsa-2843"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:024"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/64737"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/ellson/graphviz/commit/1d1bdec6318746f6f19f245db589eddc887ae8ff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201702-06"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "graphviz: stack-based buffer overflow in chkNum()", "id": "1050872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1050872"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "draft"}, "cwe": "CWE-121", "details": ["Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a \"badly formed number\" and a \"long digit list.\""], "name": "CVE-2014-1236", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "graphviz", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "graphviz", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2014-01-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-1236\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-1236"], "statement": "This issue affects the versions of the graphviz package as shipped with Red Hat Enterprise Linux 6. Red Hat Product Security has rated this issue as having Low security impact and therefore it is not planned to be addressed in future updates.\nThis issue did not affect the versions of the graphviz package as shipped with Red Hat Enterprise Linux 7.", "threat_severity": "Low"}