Details of VAR-201812-1073

ID

VAR-201812-1073

CVE

CVE-2018-19939

TITLE

Xiaomi daisy-o-oss Mi A2 Lite and RedMi6 pro In the device NULL Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-014322

DESCRIPTION

The Goodix GT9xx touchscreen driver for custom Linux kernels on Xiaomi daisy-o-oss and daisy-p-oss as used in Mi A2 Lite and RedMi6 pro devices through 2018-08-27 has a NULL pointer dereference in kfree after a kmalloc failure in gtp_read_Color in drivers/input/touchscreen/gt917d/gt9xx.c. Xiaomi Mi A2 Lite and RedMi6 pro are both smart phones of China Xiaomi Technology (Xiaomi). The vulnerability stems from the problem of improper design or implementation in the code development process of network systems or products. An attacker could use this vulnerability to cause a denial of service (null pointer retrograde reference)

Trust: 2.25

sources: NVD: CVE-2018-19939 // JVNDB: JVNDB-2018-014322 // CNVD: CNVD-2020-27292 // VULHUB: VHN-130648

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-27292

AFFECTED PRODUCTS

vendor:	mi	model:	a2 lite	scope:	lte	version:	2018-08-27	Trust: 1.0
vendor:	mi	model:	redmi 6	scope:	lte	version:	2018-08-27	Trust: 1.0
vendor:	xiaomi	model:	redmi 6	scope:	lte	version:	2018-08-27	Trust: 0.8
vendor:	xiaomi	model:	mi-a2 lite	scope:	lte	version:	2018-08-27	Trust: 0.8
vendor:	xiaomi	model:	redmi6 pro	scope:	lte	version:	<=2018-08-27	Trust: 0.6
vendor:	xiaomi	model:	mi a2 lite	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-27292 // JVNDB: JVNDB-2018-014322 // NVD: CVE-2018-19939

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-19939
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-19939
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-27292
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201812-294
value:	HIGH
Trust: 0.6
VULHUB:	VHN-130648
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-19939
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2020-27292
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-130648
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-19939
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-19939
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-27292 // VULHUB: VHN-130648 // JVNDB: JVNDB-2018-014322 // CNNVD: CNNVD-201812-294 // NVD: CVE-2018-19939

PROBLEMTYPE DATA

problemtype:

CWE-476

Trust: 1.9

sources: VULHUB: VHN-130648 // JVNDB: JVNDB-2018-014322 // NVD: CVE-2018-19939

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-294

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201812-294

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-014322

PATCH

title:

NULL pointer dereferencing in the touchscreen driver of daisy-o-oss branch #972

url:

https://github.com/MiCode/Xiaomi_Kernel_OpenSource/issues/972

Trust: 0.8

sources: JVNDB: JVNDB-2018-014322

EXTERNAL IDS

db:	NVD	id:	CVE-2018-19939	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-014322	Trust: 0.8
db:	CNVD	id:	CNVD-2020-27292	Trust: 0.7
db:	CNNVD	id:	CNNVD-201812-294	Trust: 0.7
db:	VULHUB	id:	VHN-130648	Trust: 0.1

sources: CNVD: CNVD-2020-27292 // VULHUB: VHN-130648 // JVNDB: JVNDB-2018-014322 // CNNVD: CNNVD-201812-294 // NVD: CVE-2018-19939

REFERENCES

url:	https://github.com/micode/xiaomi_kernel_opensource/issues/972	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-19939	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19939	Trust: 0.8

sources: CNVD: CNVD-2020-27292 // VULHUB: VHN-130648 // JVNDB: JVNDB-2018-014322 // CNNVD: CNNVD-201812-294 // NVD: CVE-2018-19939

SOURCES

db:	CNVD	id:	CNVD-2020-27292
db:	VULHUB	id:	VHN-130648
db:	JVNDB	id:	JVNDB-2018-014322
db:	CNNVD	id:	CNNVD-201812-294
db:	NVD	id:	CVE-2018-19939

LAST UPDATE DATE

2024-11-23T23:04:55.025000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-27292	date:	2020-05-09T00:00:00
db:	VULHUB	id:	VHN-130648	date:	2022-12-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-014322	date:	2019-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201812-294	date:	2019-05-22T00:00:00
db:	NVD	id:	CVE-2018-19939	date:	2024-11-21T03:58:51.013

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-27292	date:	2020-05-09T00:00:00
db:	VULHUB	id:	VHN-130648	date:	2018-12-07T00:00:00
db:	JVNDB	id:	JVNDB-2018-014322	date:	2019-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201812-294	date:	2018-12-10T00:00:00
db:	NVD	id:	CVE-2018-19939	date:	2018-12-07T09:29:00.353