Out-of-bounds read in curl (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-1000099 |
| CWE-ID | CWE-125 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
curl (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU7882
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-1000099
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to out-of bounds read. A local attacker can load a specially crafted 'file://' URL to cause the curl application to return data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionscurl (Alpine package): 7.21.1-r0 - 7.54.1-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=cbf50badfab16636b8752fadd5fa558b9fca6999
http://git.alpinelinux.org/aports/commit/?id=4a60b4d3583938cdd36c82d763ac5167d7720079
http://git.alpinelinux.org/aports/commit/?id=8e6f31c56dbe2966fb43113f9c7c1039bbef9865
http://git.alpinelinux.org/aports/commit/?id=a51f2d7593706eb38073b80df6192c6730f36c60
http://git.alpinelinux.org/aports/commit/?id=dba8b02f8c7dbcbb9187eac2b24fd749edc37599
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
