LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2005-4803
CVE STATUS: Patched
CVE SUMMARY: graphviz before 2.2.1 allows local users to overwrite arbitrary files via a symlink attack on temporary files.  NOTE: this issue was originally associated with a different CVE identifier, CVE-2005-2965, which had been used for multiple different issues.  This is the correct identifier.
CVSS v2 BASE SCORE: 3.6
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4803

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2008-4555
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the push_subg function in parser.y (lib/graph/parser.c) in Graphviz 2.20.2, and possibly earlier versions, allows user-assisted remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a DOT file with a large number of Agraph_t elements.
CVSS v2 BASE SCORE: 8.5
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4555

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2014-0978
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
CVSS v2 BASE SCORE: 9.3
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0978

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2014-1235
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the "yyerror" function in Graphviz 2.34.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted file.  NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-0978.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1235

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2014-1236
CVE STATUS: Patched
CVE SUMMARY: Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list."
CVSS v2 BASE SCORE: 10.0
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1236

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2014-9157
CVE STATUS: Patched
CVE SUMMARY: Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.
CVSS v2 BASE SCORE: 7.5
CVSS v3 BASE SCORE: 0.0
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9157

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2018-10196
CVE STATUS: Patched
CVE SUMMARY: NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 5.5
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10196

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2019-11023
CVE STATUS: Patched
CVE SUMMARY: The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 8.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11023

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2019-9904
CVE STATUS: Patched
CVE SUMMARY: An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
CVSS v2 BASE SCORE: 4.3
CVSS v3 BASE SCORE: 6.5
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9904

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2020-18032
CVE STATUS: Patched
CVE SUMMARY: Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
CVSS v2 BASE SCORE: 6.8
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: NETWORK
VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18032

LAYER: meta-ros2
PACKAGE NAME: graphviz
PACKAGE VERSION: 12.2.1
CVE: CVE-2023-46045
CVE STATUS: Patched
CVE SUMMARY: Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.
CVSS v2 BASE SCORE: 0.0
CVSS v3 BASE SCORE: 7.8
CVSS v4 BASE SCORE: 0.0
VECTOR: LOCAL
VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46045