CVE-2020-5234

Untrusted data can lead to DoS attack in MessagePack for C# and Unity

Description

MessagePack for C# and Unity before version 1.9.11 and 2.1.90 has a vulnerability where untrusted data can lead to DoS attack due to hash collisions and stack overflow. Review the linked GitHub Security Advisory for more information and remediation steps.

References

Link	Tags
https://github.com/neuecc/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf	third party advisory
https://github.com/neuecc/MessagePack-CSharp/commit/56fa86219d01d0a183babbbbcb34abbdea588a02	third party advisory patch
https://github.com/neuecc/MessagePack-CSharp/issues/810
https://github.com/neuecc/MessagePack-CSharp/commit/f88684078698386df02204f13faeff098a61f007

Frequently Asked Questions

What is the severity of CVE-2020-5234?: CVE-2020-5234 has been scored as a medium severity vulnerability.
How to fix CVE-2020-5234?: To fix CVE-2020-5234, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-5234 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-5234 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-5234?: CVE-2020-5234 affects neuecc MessagePack, neuecc MessagePack.ImmutableCollection, neuecc MessagePack.ReactiveProperty, neuecc MessagePack.UnityShims.

Description

Categories

CWE-121 – Stack-based Buffer Overflow

CWE-787 – Out-of-bounds Write

References

Frequently Asked Questions