{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32611", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-05-30T11:48:42.101Z", "datePublished": "2023-09-14T19:07:19.011Z", "dateUpdated": "2025-02-13T16:54:50.478Z"}, "containers": {"cna": {"title": "G_variant_byteswap() can take a long time with some non-normal inputs", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service."}], "affected": [{"product": "glib2", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glib2", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"product": "Extra Packages for Enterprise Linux", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib", "defaultStatus": "affected"}, {"product": "Fedora 38", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "mingw-glib2", "defaultStatus": "affected"}, {"product": "Fedora 37", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "mingw-glib2", "defaultStatus": "affected"}, {"product": "Fedora 37", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib2", "defaultStatus": "affected"}, {"product": "Fedora 38", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "glib2", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32611", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829", "name": "RHBZ#2211829", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2797"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0005/"}, {"url": "https://security.gentoo.org/glsa/202311-18"}], "datePublic": "2022-12-14T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2023-05-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2022-12-14T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Upstream acknowledges William Manley as the original reporter."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-11-27T14:06:18.108Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:35.683Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-32611", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829", "name": "RHBZ#2211829", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2797", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0005/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-18", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*", "matchCriteriaId": "75A30FA8-F2FB-4637-9EBB-5F2F8D057180", "versionEndExcluding": "2.74.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en GLib. La deserializaci\u00f3n de GVariant es vulnerable a un problema de desaceleraci\u00f3n en el que un GVariant manipulado puede provocar un procesamiento excesivo y provocar una denegaci\u00f3n de servicio."}], "id": "CVE-2023-32611", "lastModified": "2024-11-21T08:03:41.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-14T20:15:09.550", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-32611"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2797"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202311-18"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20231027-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-32611"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/2797"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202311-18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231027-0005/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges William Manley as the original reporter.", "affected_release": [{"advisory": "RHSA-2023:6631", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glib2-0:2.68.4-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:2528", "cpe": "cpe:/a:redhat:enterprise_linux:9::crb", "package": "mingw-glib2-0:2.78.0-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2023:6631", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glib2-0:2.68.4-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "glib: g_variant_byteswap() can take a long time with some non-normal inputs", "id": "2211829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211829"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.", "A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service."], "name": "CVE-2023-32611", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "glib2", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-32611\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32611\nhttps://gitlab.gnome.org/GNOME/glib/-/issues/2797"], "statement": "This vulnerability allows for a denial of service attack to be performed against applications that process untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. The most likely threat is from a local user, which may be possible depending on the configuration of the service and the format of parameters that it expects. While a remote attack is possible if the application is configured to read GVariants over a network connection, this is not the default configuration which makes the likelihood low. Because the most widely available attack vector is local and the consequences are limited to denial of service, Red Hat Product Security rates the impact as Low.", "threat_severity": "Low"}