CVE-2019-15149

18.08.2019, 20:15

core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance on this extra protection mechanism

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
networkgenomics	mitogen	𝑥 < 0.2.8

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-254 -

References

https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc

https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18

https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc

https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18