Out-of-bounds read in curl (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-1000099
CWE-ID CWE-125
Exploitation vector Local
Public exploit N/A
Vulnerable software
 curl (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Out-of-bounds read

EUVDB-ID: #VU7882

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-1000099

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The weakness exists due to out-of bounds read. A local attacker can load a specially crafted 'file://' URL to cause the curl application to return data from system memory.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

curl (Alpine package): 7.21.1-r0 - 7.54.1-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=cbf50badfab16636b8752fadd5fa558b9fca6999
https://git.alpinelinux.org/aports/commit/?id=4a60b4d3583938cdd36c82d763ac5167d7720079
https://git.alpinelinux.org/aports/commit/?id=8e6f31c56dbe2966fb43113f9c7c1039bbef9865
https://git.alpinelinux.org/aports/commit/?id=a51f2d7593706eb38073b80df6192c6730f36c60
https://git.alpinelinux.org/aports/commit/?id=dba8b02f8c7dbcbb9187eac2b24fd749edc37599


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###