Vulnerability Details CVE-2021-22547
In IoT Devices SDK, there is an implementation of calloc() that doesn't have a length check. An attacker could pass in memory objects larger than the buffer and wrap around to have a smaller buffer than required, allowing the attacker access to the other parts of the heap. We recommend upgrading the Google Cloud IoT Device SDK for Embedded C used to 1.0.3 or greater.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.6%
CVSS Severity
CVSS v3 Score 6.3
CVSS v2 Score 4.6
References
- https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md
- https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119
- https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/blob/master/RELEASE-NOTES.md
- https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c/pull/119
Products affected by CVE-2021-22547
-
cpe:2.3:a:google:cloud_iot_device_sdk_for_embedded_c:*