Strix
26.1K

CVE-2019-19451

MEDIUMCVSS 5.5/10EPSS 0.37%

Last modified

CVE-2019-19451 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. EPSS estimates a 0.37% chance of exploitation in the next 30 days.

Description

When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.

Metrics

CVSS 3.1
5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.37%

28.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
GnomeDia< 2019-11-27
FedoraprojectFedora32
FedoraprojectFedora33
OpensuseLeap15.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-19451?
When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's logging facility (potentially with elevated privileges), thus filling up the disk and eventually rendering the system unusable. (The filename can be for a nonexistent file.) NOTE: this does not affect an upstream release, but affects certain Linux distribution packages with version numbers such as 0.97.3.
How severe is CVE-2019-19451?
CVE-2019-19451 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.37% probability of exploitation in the next 30 days.
How do I fix CVE-2019-19451?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-19451?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST