Advisory Details

February 12th, 2020

ELOG Electronic Logbook drop-count Null Pointer Dereference Denial-of-Service Vulnerability

ZDI-20-252
ZDI-CAN-10115

CVE ID CVE-2020-8859
CVSS SCORE 5.3, (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
AFFECTED VENDORS ELOG
AFFECTED PRODUCTS Electronic Logbook
VULNERABILITY DETAILS

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of HTTP parameters. A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition.

ADDITIONAL DETAILS

Fixed in version 3.1.4-033e292


DISCLOSURE TIMELINE
  • 2020-01-31 - Vulnerability reported to vendor
  • 2020-02-12 - Coordinated public release of advisory
CREDIT Asif Akbar of Trend Micro Security Research
BACK TO ADVISORIES