openSUSE update for Mozilla
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7755 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7760 CVE-2017-7761 CVE-2017-7764 CVE-2017-7765 CVE-2017-7766 CVE-2017-7767 CVE-2017-7768 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 |
| CWE-ID | CWE-119 CWE-416 CWE-125 CWE-426 CWE-427 CWE-200 CWE-20 CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Opensuse Operating systems & Components / Operating system |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU7080
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5470
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU7063
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5472
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error with the frameloader during tree reconstruction while regenerating CSS layout. A remote attacker can use a node in the tree that no longer exists, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free error
EUVDB-ID: #VU7064
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7749
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when using an incorrect URL during the reloading of a docshell. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free error
EUVDB-ID: #VU7065
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7750
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error during video control operations when a <track>
element holds a reference to an older window if that window has been replaced in the DOM. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free error
EUVDB-ID: #VU7066
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7751
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error with content viewer listeners. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free error
EUVDB-ID: #VU7067
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7752
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error during specific user interactions with the input method editor (IME) in some languages due to how events are handled. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU7068
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7754
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to out-of-bounds read in WebGL. A remote attacker can use a specially crafted ImageInfo object during WebGL operations and read arbitrary files.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Insecure DLL library loading
EUVDB-ID: #VU7069
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7755
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to insecure .dll loading mechanism when opening files. A remote attacker can place a specially crafted .dll file along with installer on a remote SBM or WebDAV share, trick the victim into running the installer file from this directory and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free error
EUVDB-ID: #VU7070
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7756
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free and use-after-scope error when logging errors from headers for XML HTTP Requests (XHR). A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free error
EUVDB-ID: #VU7071
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7757
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU7072
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7758
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive on the target system.
The weakness exists due to out-of-bounds read with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. A remote attacker can trigger memory corruption and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Privilege escalation
EUVDB-ID: #VU7073
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7760
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to uncontrolled search path element. A local attacker can pass a special path to the callback parameter through the Mozilla Maintenance Service, manipulate files in the installation directory and gain system privileges.
Successful exploitation of the vulnerability may result in privileges escalation.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Insecure DLL library loading
EUVDB-ID: #VU7074
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7761
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists in the Mozilla Maintenance Service helper.exe application due to insecure .dll loading mechanism when opening files. A local attacker can place a specially crafted .dll file along with junction protected files on a remote SBM or WebDAV share, trick the victim into opening legitimate media file and execute arbitrary code on the target system with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Information disclosure
EUVDB-ID: #VU7075
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7764
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The weakness exists due to mix of characters from the "Canadian Syllabics" unicode block with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form. A remote attacker can use characters confusion to perform domain name spoofing attacks and read arbitrary files.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Security bypass
EUVDB-ID: #VU7076
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7765
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to incorrect saving of the "Mark of the Web" on Windows when files with very long names were downloaded from the Internet. A remote attacker can trick the victim into downloading a specially crafted file, execute it and bypass "Mark of the Web".
Successful exploitation of the vulnerability may result in further attacks.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Privilege escalation
EUVDB-ID: #VU7077
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7766
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists in the Mozilla Windows Updater due to improper input validation. A local attacker can use manipulation of updater.ini contents and the Maintenance Service to execute and delete arbitrary files with system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Privilege escalation
EUVDB-ID: #VU7078
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7767
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists in the Mozilla Maintenance Service on Windows due to improper input validation. A local attacker can overwrite arbitrary files with junk data using the Mozilla Windows Updater and gain system privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Information disclosure
EUVDB-ID: #VU7079
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7768
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Mozilla Windows Updater due to improper access control. A local attacker can use Mozilla Maintenance Service to bypass system protections and read 32 bytes of any arbitrary file on the local system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds read
EUVDB-ID: #VU7082
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7771
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Heap-buffer-overflow write
EUVDB-ID: #VU7083
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7772
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Heap-buffer-overflow write
EUVDB-ID: #VU7084
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7773
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Out-of-bounds read
EUVDB-ID: #VU7085
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7774
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Denial of service
EUVDB-ID: #VU7086
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7775
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to an error in 'size() > n'. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Heap-buffer-overflow read
EUVDB-ID: #VU7087
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7776
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Denial of service
EUVDB-ID: #VU7088
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7777
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to use of uninitialized memory. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Out-of-bounds write
EUVDB-ID: #VU7081
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7778
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOpensuse: 42.2
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-security-announce/2017-06/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
