Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-8905 |
CWE-ID | CWE-122 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
tiff (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU11263
Risk: High
CVSSv3.1: 8.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:U]
CVE-ID: CVE-2018-8905
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionstiff (Alpine package): 4.0.1-r0 - 4.0.9-r3
External linkshttp://git.alpinelinux.org/aports/commit/?id=c1c8c5a78a149b9954517df485d61e66a73a93a4
http://git.alpinelinux.org/aports/commit/?id=78ce279c75c408856851a5d65aa3c6cad2eb3304
http://git.alpinelinux.org/aports/commit/?id=942d54f276770d9b694bd1d2720587b4fd09b789
http://git.alpinelinux.org/aports/commit/?id=b5048f60578944dd85221fa9d5e279872d2315b9
http://git.alpinelinux.org/aports/commit/?id=d9df36a6ec1d80263dd65a582b3b4b207b92ecd3
http://git.alpinelinux.org/aports/commit/?id=e6a6453651a9c3c80af79c2193ce5ba2d9204c4c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.