openEuler 22.03 LTS update for libcap
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-2602 CVE-2023-2603 |
| CWE-ID | CWE-401 CWE-98 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system libcap-help Operating systems & Components / Operating system package or component libcap-debuginfo Operating systems & Components / Operating system package or component libcap-debugsource Operating systems & Components / Operating system package or component libcap-devel Operating systems & Components / Operating system package or component libcap Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU76757
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2602
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the error handling in the __wrap_pthread_create() function. A remote attacker can send a specially crafted request, exploit vulnerability to exhaust the process memory and cause a denial of service condition.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
libcap-help: before 2.61-5
libcap-debuginfo: before 2.61-5
libcap-debugsource: before 2.61-5
libcap-devel: before 2.61-5
libcap: before 2.61-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS:*:*:*:*:*:*
- cpe:2.3:o:openeuler:libcap-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1345
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) PHP file inclusion
EUVDB-ID: #VU72703
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-2603
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in web/ajax/modal.php. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
libcap-help: before 2.61-5
libcap-debuginfo: before 2.61-5
libcap-debugsource: before 2.61-5
libcap-devel: before 2.61-5
libcap: before 2.61-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS:*:*:*:*:*:*
- cpe:2.3:o:openeuler:libcap-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libcap:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1345
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
