Home > Vulnerability Database > CVE-2022-46149

Mend.io Vulnerability Database

CVE-2022-46149

Good to know:

Date: November 29, 2022

Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.

Language: C++

Severity Score

5.4

Related Resources (17)

Url: https://rustsec.org/advisories/RUSTSEC-2022-0068.html

Url: https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4/

Url: https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX/

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-46149

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY

Url: https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY/

Url: https://crates.io/crates/capnp

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4

Url: https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx

Url: https://github.com/capnproto/capnproto

Url: https://www.mend.io/vulnerability-database/CVE-2022-46149

Severity Score

5.4

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version capnp - 0.13.7,0.14.11,0.15.2

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-46149

Good to know:

Date: November 29, 2022

Language: C++

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?