{ "version": "1", "package": [ { "name": "connman", "layer": "meta", "version": "1.42", "products": [ { "product": "connman", "cvesInRecord": "Yes" }, { "product": "connection_manager", "cvesInRecord": "Yes" } ], "issue": [ { "id": "CVE-2012-2320", "summary": "ConnMan before 0.85 does not ensure that netlink messages originate from the kernel, which allows remote attackers to bypass intended access restrictions and cause a denial of service via a crafted netlink message.", "scorev2": "7.8", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2320" }, { "id": "CVE-2012-2321", "summary": "The loopback plug-in in ConnMan before 0.85 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) host name or (2) domain name in a DHCP reply.", "scorev2": "10.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2321" }, { "id": "CVE-2012-2322", "summary": "Integer overflow in the dhcpv6_get_option function in gdhcp/client.c in ConnMan before 0.85 allows remote attackers to cause a denial of service (infinite loop and crash) via an invalid length value in a DHCP packet.", "scorev2": "5.0", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-2322" }, { "id": "CVE-2012-6459", "summary": "ConnMan 1.3 on Tizen continues to list the bluetooth service after offline mode has been enabled, which might allow remote attackers to obtain sensitive information via Bluetooth packets.", "scorev2": "4.3", "scorev3": "0.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6459" }, { "id": "CVE-2017-12865", "summary": "Stack-based buffer overflow in \"dnsproxy.c\" in connman 1.34 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted response query string passed to the \"name\" variable.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-12865" }, { "id": "CVE-2021-26675", "summary": "A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.", "scorev2": "5.8", "scorev3": "8.8", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26675" }, { "id": "CVE-2021-26676", "summary": "gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.", "scorev2": "3.3", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-26676" }, { "id": "CVE-2021-33833", "summary": "ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA).", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33833" }, { "id": "CVE-2022-23096", "summary": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an out-of-bounds read.", "scorev2": "6.4", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23096" }, { "id": "CVE-2022-23097", "summary": "An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read.", "scorev2": "6.4", "scorev3": "9.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23097" }, { "id": "CVE-2022-23098", "summary": "An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received.", "scorev2": "5.0", "scorev3": "7.5", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-23098" }, { "id": "CVE-2022-32292", "summary": "In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code.", "scorev2": "0.0", "scorev3": "9.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32292" }, { "id": "CVE-2022-32293", "summary": "In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution.", "scorev2": "0.0", "scorev3": "8.1", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-32293" }, { "id": "CVE-2023-28488", "summary": "client.c in gdhcp in ConnMan through 1.41 could be used by network-adjacent attackers (operating a crafted DHCP server) to cause a stack-based buffer overflow and denial of service, terminating the connman process.", "scorev2": "0.0", "scorev3": "6.5", "scorev4": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-28488" }, { "id": "CVE-2025-32366", "summary": "In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response.", "scorev2": "0.0", "scorev3": "4.8", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32366" }, { "id": "CVE-2025-32743", "summary": "In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations.", "scorev2": "0.0", "scorev3": "9.0", "scorev4": "0.0", "vector": "NETWORK", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-32743" } ] } ] }