CVE-2014-6262

HIGH

RRDtool <4.2.5 - RCE

Title source: llm

Description

Multiple format string vulnerabilities in the python module in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted third argument to the rrdtool.graph function, aka ZEN-15415, a related issue to CVE-2013-2131.

References (8)

[Third Party Advisory] https://docs.google.com/spreadsheets/d/1dHAc4PxUbs-4Dxzm1wSCE0sMz5UCMY6SW3PlMHSyuuQ/edit?usp=sharing

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/449452

[Third Party Advisory, VDB Entry] https://www.securityfocus.com/bid/71540

[Third Party Advisory] https://github.com/oetiker/rrdtool-1.x/pull/532

[Patch, Third Party Advisory] https://github.com/oetiker/rrdtool-1.x/commit/64ed5314af1255ab6dded45f70b39cdeab5ae2ec

[Patch, Third Party Advisory] https://github.com/oetiker/rrdtool-1.x/commit/85261a013112e278c90224033f5b0592ee387786

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/03/msg00000.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/03/msg00003.html

Scores

CVSS v3 7.5

EPSS 0.1969

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-134

Status published

Products (2)

debian/debian_linux 8.0

zenoss/zenoss_core < 4.2.5

Published Feb 12, 2020

Tracked Since Feb 18, 2026