This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Graphviz First view 2005-12-31
Product Graphviz Last view 2024-02-02
Version Type
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:graphviz:graphviz:-:*:*:*:*:*:*:* 5
cpe:2.3:a:graphviz:graphviz:2.34.0:*:*:*:*:*:*:* 5
cpe:2.3:a:graphviz:graphviz:1.7.5.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:*:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:2.40.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:2.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5_0.3:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5_0.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.10_2003-09-15_0415_1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.12.3:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.12.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5_0.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.7:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.16.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.5.3:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.5.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.5.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.5:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.6:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.8.9.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.14.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.16.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.4:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.16.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.12.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.10_2003-09-15_0415_2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.8.5.2:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.8.5.1:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:1.7.5.3:*:*:*:*:*:*:* 4
cpe:2.3:a:graphviz:graphviz:2.10:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.12:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.20.1:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.14:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.16:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.2.1.1:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.2.1:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.2.2:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.6:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.8:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.18:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.4:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.20.0:*:*:*:*:*:*:* 3
cpe:2.3:a:graphviz:graphviz:2.39.20160612.1140:*:*:*:*:*:*:* 3

Related : CVE

  Date Alert Description
7.8 2024-02-02 CVE-2023-46045

Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.
7.8 2021-04-29 CVE-2020-18032

Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
8.8 2019-04-08 CVE-2019-11023

The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.
6.5 2019-03-21 CVE-2019-9904

An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
5.5 2018-05-30 CVE-2018-10196

NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
7.8 2017-08-07 CVE-2014-1235

Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted file. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-0978.
7.5 2014-12-03 CVE-2014-9157

Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.
10 2014-01-10 CVE-2014-1236

Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list."
9.3 2014-01-10 CVE-2014-0978

Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
8.5 2008-10-14 CVE-2008-4555

Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements.
3.6 2005-12-31 CVE-2005-4803

graphviz before 2.2.1 allows local users to overwrite arbitrary files via a symlink attack on temporary files. NOTE: this issue was originally associated with a different CVE identifier, CVE-2005-2965, which had been used for multiple different issues. This is the correct identifier.

CWE : Common Weakness Enumeration

%idName
40% (4) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
20% (2) CWE-476 NULL Pointer Dereference
10% (1) CWE-674 Uncontrolled Recursion
10% (1) CWE-134 Uncontrolled Format String
10% (1) CWE-125 Out-of-bounds Read
10% (1) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...

Oval Markup Language : Definitions

OvalID Name
oval:org.mitre.oval:def:22492 DSA-2843-1 graphviz - buffer overflow
oval:org.mitre.oval:def:21511 USN-2083-1 -- graphviz vulnerabilities
oval:org.mitre.oval:def:28669 USN-2435-1 -- Graphviz vulnerability
oval:org.mitre.oval:def:28490 DSA-3098-1 -- graphviz security update

Open Source Vulnerability Database (OSVDB)

id Description
48939 Graphviz lib/graph/parser.c push_subg Function Crafted DOT File Overflow
19891 Graphviz dotty.lefty Symlink Arbitrary File Overwrite

OpenVAS Exploits

id Description
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:254-1 (graphviz)
File : nvt/mdksa_2009_254_1.nasl
2009-10-06 Name : Mandrake Security Advisory MDVSA-2009:254 (graphviz)
File : nvt/mdksa_2009_254.nasl
2008-11-19 Name : Gentoo Security Advisory GLSA 200811-04 (graphviz)
File : nvt/glsa_200811_04.nasl

Nessus® Vulnerability Scanner

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-25674bb48e.nasl - Type: ACT_GATHER_INFO
2018-05-30 Name: The remote Fedora host is missing a security update.
File: fedora_2018-fd850e033d.nasl - Type: ACT_GATHER_INFO
2017-12-14 Name: The remote openSUSE host is missing a security update.
File: openSUSE-2017-1341.nasl - Type: ACT_GATHER_INFO
2017-02-13 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201702-06.nasl - Type: ACT_GATHER_INFO
2015-04-03 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2015-187.nasl - Type: ACT_GATHER_INFO
2015-03-26 Name: The remote Debian host is missing a security update.
File: debian_DLA-105.nasl - Type: ACT_GATHER_INFO
2015-03-09 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2015-488.nasl - Type: ACT_GATHER_INFO
2015-03-09 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2015-487.nasl - Type: ACT_GATHER_INFO
2014-12-15 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2014-248.nasl - Type: ACT_GATHER_INFO
2014-12-15 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3098.nasl - Type: ACT_GATHER_INFO
2014-12-09 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-2435-1.nasl - Type: ACT_GATHER_INFO
2014-12-07 Name: The remote Fedora host is missing a security update.
File: fedora_2014-15811.nasl - Type: ACT_GATHER_INFO
2014-12-07 Name: The remote Fedora host is missing a security update.
File: fedora_2014-15760.nasl - Type: ACT_GATHER_INFO
2014-12-06 Name: The remote Fedora host is missing a security update.
File: fedora_2014-15812.nasl - Type: ACT_GATHER_INFO
2014-03-12 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2014-296.nasl - Type: ACT_GATHER_INFO
2014-03-12 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2014-297.nasl - Type: ACT_GATHER_INFO
2014-02-12 Name: The remote Fedora host is missing a security update.
File: fedora_2014-0621.nasl - Type: ACT_GATHER_INFO
2014-02-12 Name: The remote Fedora host is missing a security update.
File: fedora_2014-0602.nasl - Type: ACT_GATHER_INFO
2014-02-05 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2014-284.nasl - Type: ACT_GATHER_INFO
2014-02-05 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2014-285.nasl - Type: ACT_GATHER_INFO
2014-01-27 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2014-024.nasl - Type: ACT_GATHER_INFO
2014-01-17 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-2083-1.nasl - Type: ACT_GATHER_INFO
2014-01-14 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-2843.nasl - Type: ACT_GATHER_INFO
2012-08-01 Name: The remote Scientific Linux host is missing one or more security updates.
File: sl_20091111_graphviz_on_SL5_x.nasl - Type: ACT_GATHER_INFO
2009-10-02 Name: The remote Mandriva Linux host is missing one or more security updates.
File: mandriva_MDVSA-2009-254.nasl - Type: ACT_GATHER_INFO