CVE-2019-16239

CRITICAL

OpenConnect <8.05 - Buffer Overflow

Title source: llm

Description

process_http_response in OpenConnect before 8.05 has a Buffer Overflow when a malicious server uses HTTP chunked encoding with crafted chunk sizes.

References (11)

Core 11

Core References

Not Applicable x_refsource_misc

https://t2.fi/schedule/2019/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WI7ZENFAWCHF2RU4NHPL2CU4WGZ4BNDJ/

Broken Link x_refsource_confirm

http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HDMZGNBLZZKAGBI2PNXYWWKLD2LXKFH6/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FX56KYWC7X4ETV4P6HGJC7GZUEBITBBS/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2019/10/msg00003.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00060.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00061.html

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4607

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2020/Jan/31

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4565-1/

Scores

CVSS v3 9.8

EPSS 0.0853

EPSS Percentile 92.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-120

Status published

Products (10)

canonical/ubuntu_linux 18.04

debian/debian_linux 8.0

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 29

fedoraproject/fedora 30

fedoraproject/fedora 31

infradead/openconnect < 8.05

opensuse/leap 15.0

opensuse/leap 15.1

Published Sep 17, 2019

Tracked Since Feb 18, 2026