Vulnerabilities > CVE-2018-1000224 - Missing Initialization of Resource vulnerability in Godotengine Godot
Summary
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-AD83F27A39.NASL description **Security update: Godot 3.0.6** This update brings the latest upstream release of Godot Engine, with several bug fixes and improvements applied on top of Godot 3.0.4. This release is compatible with previous Godot 3.0.x versions and should load existing projects without issue. Version 3.0.6 also fixes the following security vulnerabilities : Fabio Alessandrelli found and fixed several security vulnerabilities in the marshalling code of Godot Engine, which could be used by a remote Godot client to cause a Denial of Service for a Godot server (CVE-2018-1000224). *References:* - Release announcement: https://godotengine.org/article/maintenance-release-godo t-3-0-6 - Changelog: https://downloads.tuxfamily.org/godotengine/3.0.6/Godot_ v3.0.6-stable_changelog.txt - Details about CVE-2018-1000224: https://github.com/godotengine/godot/issues/20558 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120702 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120702 title Fedora 28 : godot (2018-ad83f27a39) NASL family Fedora Local Security Checks NASL id FEDORA_2018-8D58297DC0.NASL description **Security update: Godot 3.0.6** This update brings the latest upstream release of Godot Engine, with several bug fixes and improvements applied on top of Godot 3.0.4. This release is compatible with previous Godot 3.0.x versions and should load existing projects without issue. Version 3.0.6 also fixes the following security vulnerabilities : Fabio Alessandrelli found and fixed several security vulnerabilities in the marshalling code of Godot Engine, which could be used by a remote Godot client to cause a Denial of Service for a Godot server (CVE-2018-1000224). *References:* - Release announcement: https://godotengine.org/article/maintenance-release-godo t-3-0-6 - Changelog: https://downloads.tuxfamily.org/godotengine/3.0.6/Godot_ v3.0.6-stable_changelog.txt - Details about CVE-2018-1000224: https://github.com/godotengine/godot/issues/20558 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120602 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120602 title Fedora 29 : godot (2018-8d58297dc0) NASL family Fedora Local Security Checks NASL id FEDORA_2018-6121F427E5.NASL description **Security update: Godot 3.0.6** This update brings the latest upstream release of Godot Engine, with several bug fixes and improvements applied on top of Godot 3.0.4. This release is compatible with previous Godot 3.0.x versions and should load existing projects without issue. Version 3.0.6 also fixes the following security vulnerabilities : Fabio Alessandrelli found and fixed several security vulnerabilities in the marshalling code of Godot Engine, which could be used by a remote Godot client to cause a Denial of Service for a Godot server (CVE-2018-1000224). *References:* - Release announcement: https://godotengine.org/article/maintenance-release-godo t-3-0-6 - Changelog: https://downloads.tuxfamily.org/godotengine/3.0.6/Godot_ v3.0.6-stable_changelog.txt - Details about CVE-2018-1000224: https://github.com/godotengine/godot/issues/20558 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-09-12 plugin id 117439 published 2018-09-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117439 title Fedora 27 : godot (2018-6121f427e5)
References
- https://github.com/godotengine/godot/issues/20558
- https://github.com/godotengine/godot/issues/20558
- https://godotengine.org/article/maintenance-release-godot-2-1-5
- https://godotengine.org/article/maintenance-release-godot-2-1-5
- https://godotengine.org/article/maintenance-release-godot-3-0-6
- https://godotengine.org/article/maintenance-release-godot-3-0-6