Detections
Analytics

NewStart CGSL MAIN 7.02 : libvpx Multiple Vulnerabilities (NS-SA-2025-0182)

medium Nessus Plugin ID 242765

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 7.02, has libvpx packages installed that are affected by multiple vulnerabilities:

 - There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond (CVE-2024-5197)

 - Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-5217)

 - VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. (CVE-2023-44488)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL libvpx packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0182

https://security.gd-linux.com/info/CVE-2023-44488

https://security.gd-linux.com/info/CVE-2023-5217

https://security.gd-linux.com/info/CVE-2024-5197

Plugin Details

Severity: Medium

ID: 242765

File Name: newstart_cgsl_NS-SA-2025-0182_libvpx.nasl

Version: 1.1

Type: local

Published: 7/25/2025

Updated: 7/25/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-5217

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2024-5197

CVSS v4

Risk Factor: Medium

Base Score: 5.9

Threat Score: 5.9

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N

CVSS Score Source: CVE-2024-5197

Vulnerability Information

CPE: cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:libvpx

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/25/2025

Vulnerability Publication Date: 8/28/2023

CISA Known Exploited Vulnerability Due Dates: 10/23/2023

Reference Information

CVE: CVE-2023-44488, CVE-2023-5217, CVE-2024-5197