NVD Vulnerability Detail

CVE-2018-1000224

Summary	Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.
Publication Date	Aug. 21, 2018, 5:29 a.m.
Registration Date	March 1, 2021, 6:39 p.m.
Last Update	Nov. 21, 2024, 12:39 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/godotengine/godot/issues/20558	Exploit Issue Tracking Patch Third Party Advisory
2	https://github.com/godotengine/godot/issues/20558	Exploit Issue Tracking Patch Third Party Advisory
3	https://godotengine.org/article/maintenance-release-godot-2-1-5	Vendor Advisory
4	https://godotengine.org/article/maintenance-release-godot-2-1-5	Vendor Advisory
5	https://godotengine.org/article/maintenance-release-godot-3-0-6	Vendor Advisory
6	https://godotengine.org/article/maintenance-release-godot-3-0-6	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-131	正しくないバッファサイズ計算	https://cwe.mitre.org/data/definitions/131.html
2	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html
3	CWE-909	リソースの初期化の不備	https://cwe.mitre.org/data/definitions/909.html
4	CWE-681	数値型間の変換の誤り	https://cwe.mitre.org/data/definitions/681.html
5	CWE-908	初期化されていないリソースの使用	https://cwe.mitre.org/data/definitions/908.html

JVN Vulnerability Information

Godot Engine における信頼性のないデータのデシリアライゼーションに関する脆弱性

Title	Godot Engine における信頼性のないデータのデシリアライゼーションに関する脆弱性
Summary	Godot Engine には、信頼性のないデータのデシリアライゼーションに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 28, 2018, midnight
Registration Date	Nov. 26, 2018, 6:01 p.m.
Last Update	Nov. 26, 2018, 6:01 p.m.

Affected System

GODOT Engine

GODOT Engine 2.1.5 未満

GODOT Engine 3.0.6 未満の 3.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-1000224	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000224
National Vulnerability Database (NVD)
2	CVE-2018-1000224	https://nvd.nist.gov/vuln/detail/CVE-2018-1000224

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-502	https://cwe.mitre.org/data/definitions/502.html

ベンダー情報

No	Name	URL
GitHub
1	#20558	https://github.com/godotengine/godot/issues/20558
GODOT Engine
2	MAINTENANCE RELEASE: GODOT 2.1.5	https://godotengine.org/article/maintenance-release-godot-2-1-5
3	MAINTENANCE RELEASE: GODOT 3.0.6	https://godotengine.org/article/maintenance-release-godot-3-0-6

Change Log

No	Changed Details	Date of change
1	[2018年11月26日] 掲載	Nov. 26, 2018, 6:01 p.m.