Out-of-bounds write in products

#VU46974 Out-of-bounds write in products

Cybersecurity Help s.r.o.

Published: 2020-09-16 | Updated: 2020-09-23

Vulnerability identifier: #VU46974

Vulnerability risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14393

CWE-ID: CWE-787

Exploitation vector: Local

Exploit availability: No

Description

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

Mitigation
Install update from vendor's website.

External links
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00067.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00074.html
http://bugzilla.redhat.com/show_bug.cgi?id=1877409
http://metacpan.org/pod/distribution/DBI/Changes#Changes-in-DBI-1.643

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

ClevOS update for IBM Cloud Object Storage Systems

OpenSUSE Linux update for perl-DBI

Out-of-bounds write in perl-dbi (Alpine package)

Gentoo update for Perl DBI