Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2017-13090 |
CWE-ID | CWE-122 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
wget (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU8960
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-13090
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow in the fd_read_body() function in 'src/retr.c'' when processing HTTP chunk size values. A remote attacker can send specially crafted HTTP data, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionswget (Alpine package): 1.12-r0 - 1.18-r2
CPE2.3http://git.alpinelinux.org/aports/commit/?id=ced1a8b8b4b8d904ee0239c12b4d72699eb89493
http://git.alpinelinux.org/aports/commit/?id=1eabf36322e007ecbef28fe8ab5e63e005e82418
http://git.alpinelinux.org/aports/commit/?id=e6404a21b246558e15ba90e0a54011392d26c497
http://git.alpinelinux.org/aports/commit/?id=06efc389600960466f2d0f27de63ab5984f00518
http://git.alpinelinux.org/aports/commit/?id=7293c28368ce48a6b22ed6010220211e8422023e
http://git.alpinelinux.org/aports/commit/?id=df8fbf720824642c3008a9f4bc1825ce8e84ae7d
http://git.alpinelinux.org/aports/commit/?id=de6df5d64baa025d268f3b72f4170f1b3d431e23
http://git.alpinelinux.org/aports/commit/?id=8f9f3fbfeb53b7405b21e4a23421a5de45ce875d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.