CVE-2024-4854

MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/wireshark/wireshark/-/issues/19726	Issue Tracking
https://gitlab.com/wireshark/wireshark/-/merge_requests/15047	Product
https://gitlab.com/wireshark/wireshark/-/merge_requests/15499	Product
https://www.wireshark.org/security/wnpa-sec-2024-07.html	Vendor Advisory
https://gitlab.com/wireshark/wireshark/-/issues/19726	Issue Tracking
https://gitlab.com/wireshark/wireshark/-/merge_requests/15047	Product
https://gitlab.com/wireshark/wireshark/-/merge_requests/15499	Product
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/	Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/	Mailing List
https://www.wireshark.org/security/wnpa-sec-2024-07.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:39:::::::*
	cpe:2.3:o:fedoraproject:fedora:40:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:wireshark:wireshark::::::::
	cpe:2.3:a:wireshark:wireshark::::::::
	cpe:2.3:a:wireshark:wireshark::-::::::*

History

18 Apr 2025, 16:34

Type	Values Removed	Values Added
References	~~() https://gitlab.com/wireshark/wireshark/-/issues/19726 -~~	() https://gitlab.com/wireshark/wireshark/-/issues/19726 - Issue Tracking
References	~~() https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 -~~	() https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 - Product
References	~~() https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 -~~	() https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 - Product
References	~~() https://www.wireshark.org/security/wnpa-sec-2024-07.html -~~	() https://www.wireshark.org/security/wnpa-sec-2024-07.html - Vendor Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/ - Mailing List
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/ - Mailing List
First Time		Fedoraproject Fedoraproject fedora Wireshark wireshark Wireshark
CPE		cpe:2.3:a:wireshark:wireshark:::::::: cpe:2.3:o:fedoraproject:fedora:39:::::::* cpe:2.3:a:wireshark:wireshark::-::::::* cpe:2.3:o:fedoraproject:fedora:40:::::::*

21 Nov 2024, 09:43

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/ -
References	~~() https://gitlab.com/wireshark/wireshark/-/issues/19726 -~~	() https://gitlab.com/wireshark/wireshark/-/issues/19726 -
References	~~() https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 -~~	() https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 -
References	~~() https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 -~~	() https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 -
References	~~() https://www.wireshark.org/security/wnpa-sec-2024-07.html -~~	() https://www.wireshark.org/security/wnpa-sec-2024-07.html -

29 Aug 2024, 15:15

Type	Values Removed	Values Added
References	~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/', 'source': 'cve@gitlab.com'}~~ ~~{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/', 'source': 'cve@gitlab.com'}~~

10 Jun 2024, 18:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/ -

14 May 2024, 16:11

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-14 15:45

Updated : 2025-04-18 16:34

NVD link : CVE-2024-4854

Mitre link : CVE-2024-4854

CVE.ORG link : CVE-2024-4854

JSON object : View

Products Affected

wireshark

wireshark

fedoraproject

fedora

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2024-4854", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-05-14T15:45:18.890", "references": [{"url": "https://gitlab.com/wireshark/wireshark/-/issues/19726", "tags": ["Issue Tracking"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/wireshark/wireshark/-/merge_requests/15047", "tags": ["Product"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/wireshark/wireshark/-/merge_requests/15499", "tags": ["Product"], "source": "cve@gitlab.com"}, {"url": "https://www.wireshark.org/security/wnpa-sec-2024-07.html", "tags": ["Vendor Advisory"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/wireshark/wireshark/-/issues/19726", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/wireshark/wireshark/-/merge_requests/15047", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://gitlab.com/wireshark/wireshark/-/merge_requests/15499", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2BSENPSIALF2WIZF7M3QBVWYBMFGW/", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKFJAZDKXGFFQPRDYLX2AANRNMYZZEZ/", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wireshark.org/security/wnpa-sec-2024-07.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-835"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file"}, {"lang": "es", "value": "Los bucles infinitos de disecci\u00f3n TLV de MONGO y ZigBee en Wireshark 4.2.0 a 4.2.4, 4.0.0 a 4.0.14 y 3.6.0 a 3.6.22 permiten la denegaci\u00f3n de servicio mediante inyecci\u00f3n de paquetes o archivo de captura manipulado"}], "lastModified": "2025-04-18T16:34:40.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F5267DB-A705-4C7B-8E63-69355A2B10AA", "versionEndIncluding": "3.6.22", "versionStartIncluding": "3.6.0"}, {"criteria": "cpe:2.3:a:wireshark:wireshark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "595FBFCB-DAC6-4B23-861A-F1DF5BEDF019", "versionEndIncluding": "4.0.14", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:wireshark:wireshark:*:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "263AD0F8-3AF5-45AA-B56A-127D33B76018", "versionEndIncluding": "4.2.4", "versionStartIncluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}

6.4 /10