Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d3ebb402-92f1-981e-019b-e33b7414befc@apache.org>
Date: Tue, 26 Nov 2024 08:17:18 +0000
From: Szymon Janc <janc@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-47250: Apache NimBLE: Lack of input validation in HCI
 advertising report could lead to potential out-of-bound access 

Severity: low

Affected versions:

- Apache NimBLE through 1.7.0

Description:

Out-of-bounds Read vulnerability in Apache NimBLE.

Missing proper validation of HCI advertising report could lead to out-of-bound access when parsing HCI event and thus bogus GAP 'device found' events being sent.
This issue requires broken or bogus Bluetooth controller and thus severity is considered low.
This issue affects Apache NimBLE: through 1.7.0.


Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Credit:

Eunkyu Lee (reporter)

References:

https://mynewt.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-47250

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.