What is CVE-2019-13351?

CVE-2019-13351 is a vulnerability in JACK2 and alsa-plugins that allows for exploitation through a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running.

How severe is CVE-2019-13351?

CVE-2019-13351 has a severity score of 8.1 (high).

Which software versions are affected by CVE-2019-13351?

JACK2 versions 1.9.1 through 1.9.12 and alsa-plugins version 1.1.7 and later are affected by CVE-2019-13351.

How can CVE-2019-13351 be exploited?

Exploitation of CVE-2019-13351 depends on the timing of the double file descriptor close issue during a failed connection attempt when jackd2 is not running.

Are there any references for CVE-2019-13351?

Yes, you can find references for CVE-2019-13351 on GitHub at the following links: [link1](https://github.com/jackaudio/jack2/pull/480) and [link2](https://github.com/xbmc/xbmc/issues/16258).

Vulnerability/
CVE-2019-13351

high

8.1

5/7/2019

4/8/2024

CVE-2019-13351

First published: Fri Jul 05 2019(Updated: )

posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Jackaudio Jack2	>=1.9.1<=1.9.12
Alsa-project Alsa	<=1.1.7

Remedy

https://github.com/jackaudio/jack2/pull/480

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-13351?
CVE-2019-13351 is a vulnerability in JACK2 and alsa-plugins that allows for exploitation through a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running.
How severe is CVE-2019-13351?
CVE-2019-13351 has a severity score of 8.1 (high).
Which software versions are affected by CVE-2019-13351?
JACK2 versions 1.9.1 through 1.9.12 and alsa-plugins version 1.1.7 and later are affected by CVE-2019-13351.
How can CVE-2019-13351 be exploited?
Exploitation of CVE-2019-13351 depends on the timing of the double file descriptor close issue during a failed connection attempt when jackd2 is not running.
Are there any references for CVE-2019-13351?
Yes, you can find references for CVE-2019-13351 on GitHub at the following links: [link1](https://github.com/jackaudio/jack2/pull/480) and [link2](https://github.com/xbmc/xbmc/issues/16258).

collector/nvd-index
agent/references
agent/severity
agent/author
agent/tags
agent/type
agent/description
agent/event
agent/remedy
agent/first-publish-date
agent/softwarecombine
agent/last-modified-date
collector/mitre-cve
source/MITRE
vendor/jackaudio
canonical/jackaudio jack2
version/jackaudio jack2/1.9.1
version/jackaudio jack2/1.9.12
vendor/alsa-project
canonical/alsa-project alsa
version/alsa-project alsa/1.1.7

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.