Sign-up

ID

VAR-201409-0768


CVE

CVE-2014-5506


TITLE

SAP Crystal Reports Memory double free vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-004051

DESCRIPTION

Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of RPT files. The issue lies in processing a connection string record. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts will result in a denial-of-service condition

Trust: 2.52

sources: NVD: CVE-2014-5506 // JVNDB: JVNDB-2014-004051 // ZDI: ZDI-14-302 // BID: 69557

AFFECTED PRODUCTS

vendor:sapmodel:crystal reportsscope:eqversion: -

Trust: 1.6

vendor:sapmodel:crystal reportsscope: - version: -

Trust: 1.5

sources: ZDI: ZDI-14-302 // JVNDB: JVNDB-2014-004051 // CNNVD: CNNVD-201409-042 // NVD: CVE-2014-5506

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5506
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-5506
value: MEDIUM

Trust: 0.8

ZDI: CVE-2014-5506
value: MEDIUM

Trust: 0.7

CNNVD: CNNVD-201409-042
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-5506
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

sources: ZDI: ZDI-14-302 // JVNDB: JVNDB-2014-004051 // CNNVD: CNNVD-201409-042 // NVD: CVE-2014-5506

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2014-004051 // NVD: CVE-2014-5506

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201409-042

TYPE

Unknown

Trust: 0.3

sources: BID: 69557

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-004051

PATCH
title:SAP Security Note 1999142url:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:SAP has issued an update to correct this vulnerability.url:http://service.sap.com/sap/support/notes/1999142
Trust: 0.7
sources:
            
            
            ZDI: ZDI-14-302 // 
            
            
            
            JVNDB: JVNDB-2014-004051

EXTERNAL IDS
db:NVDid:CVE-2014-5506
Trust: 3.4
db:ZDIid:ZDI-14-302
Trust: 3.4
db:BIDid:69557
Trust: 1.3
db:SECUNIAid:61016
Trust: 1.0
db:JVNDBid:JVNDB-2014-004051
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2143
Trust: 0.7
db:CNNVDid:CNNVD-201409-042
Trust: 0.6
sources:
            
            
            ZDI: ZDI-14-302 // 
            
            
            
            BID: 69557 // 
            
            
            
            JVNDB: JVNDB-2014-004051 // 
            
            
            
            CNNVD: CNNVD-201409-042 // 
            
            
            
            NVD: CVE-2014-5506

REFERENCES
url:http://www.zerodayinitiative.com/advisories/zdi-14-302/
Trust: 2.7
url:https://service.sap.com/sap/support/notes/1999142
Trust: 2.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:http://secunia.com/advisories/61016
Trust: 1.0
url:http://www.securityfocus.com/bid/69557
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5506
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5506
Trust: 0.8
url:http://www.sap.com/solutions/sap-crystal-solutions/query-reporting-analysis/sapcrystalreports/index.epx
Trust: 0.3
sources:
            
            
            ZDI: ZDI-14-302 // 
            
            
            
            BID: 69557 // 
            
            
            
            JVNDB: JVNDB-2014-004051 // 
            
            
            
            CNNVD: CNNVD-201409-042 // 
            
            
            
            NVD: CVE-2014-5506

CREDITS
Aniway.Anyway@gmail.com
Trust: 1.0
sources:
            
            
            ZDI: ZDI-14-302 // 
            
            
            
            BID: 69557

SOURCES
db:ZDIid:ZDI-14-302
db:BIDid:69557
db:JVNDBid:JVNDB-2014-004051
db:CNNVDid:CNNVD-201409-042
db:NVDid:CVE-2014-5506

LAST UPDATE DATE
2024-11-23T23:09:21.922000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-14-302date:2014-09-03T00:00:00
db:BIDid:69557date:2014-09-03T00:00:00
db:JVNDBid:JVNDB-2014-004051date:2014-09-08T00:00:00
db:CNNVDid:CNNVD-201409-042date:2014-09-05T00:00:00
db:NVDid:CVE-2014-5506date:2024-11-21T02:12:08.897

SOURCES RELEASE DATE
db:ZDIid:ZDI-14-302date:2014-09-03T00:00:00
db:BIDid:69557date:2014-09-03T00:00:00
db:JVNDBid:JVNDB-2014-004051date:2014-09-08T00:00:00
db:CNNVDid:CNNVD-201409-042date:2014-09-05T00:00:00
db:NVDid:CVE-2014-5506date:2014-09-04T17:55:08.937