Integer overflow in WeeChat



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-46613
CWE-ID CWE-190
Exploitation vector Local
Public exploit N/A
Vulnerable software
WeeChat
Client/Desktop applications / Messaging software

Vendor WeeChat.org

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Integer overflow

EUVDB-ID: #VU101837

Risk: Low

CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-46613

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows an attacker to execute arbitrary code.

The vulnerability exists due to integer overflow when looping over items in a list within the string_free_split_shared(), string_free_split(), string_free_split_command(), and string_free_split_tags() functions in core/core-string.c. An attacker with physical access to the system can trigger an integer overflow and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

WeeChat: 4.0.0 - 4.4.1

CPE2.3 External links

http://weechat.org/doc/weechat/security/WSA-2024-1/
http://github.com/weechat/weechat/issues/2178


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###