Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2006-0459

flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.

Published

2006-03-29T23:02:00.000

Last Modified

2025-04-03T01:03:51.193

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-119

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	westes	flex	≤ 2.5.32	Yes

References

http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download Product ([email protected])
http://secunia.com/advisories/19071 Patch, Vendor Advisory ([email protected])
http://secunia.com/advisories/19126 Vendor Advisory ([email protected])
http://secunia.com/advisories/19228 Vendor Advisory ([email protected])
http://secunia.com/advisories/19424 Patch, Vendor Advisory ([email protected])
http://securityreason.com/securityalert/570 Third Party Advisory ([email protected])
http://sourceforge.net/mailarchive/forum.php?thread_name=20060223020346.GA11231%40tabitha.home.tldz.org&forum_name=flex-announce Release Notes ([email protected])
http://www.gentoo.org/security/en/glsa/glsa-200603-07.xml Third Party Advisory ([email protected])
http://www.osvdb.org/23440 Broken Link, Patch ([email protected])
http://www.securityfocus.com/bid/16896 Patch, Third Party Advisory, VDB Entry ([email protected])
http://www.us.debian.org/security/2006/dsa-1020 Patch, Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2006/0770 Broken Link, URL Repurposed ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/24995 VDB Entry ([email protected])
https://usn.ubuntu.com/260-1/ Third Party Advisory ([email protected])
http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download Product (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19071 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19126 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19228 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/19424 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://securityreason.com/securityalert/570 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://sourceforge.net/mailarchive/forum.php?thread_name=20060223020346.GA11231%40tabitha.home.tldz.org&forum_name=flex-announce Release Notes (af854a3a-2127-422b-91ae-364da2661108)
http://www.gentoo.org/security/en/glsa/glsa-200603-07.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/23440 Broken Link, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/16896 Patch, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.us.debian.org/security/2006/dsa-1020 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2006/0770 Broken Link, URL Repurposed (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/24995 VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/260-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)