Privilege escalation in mutt (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-14356
CWE-ID CWE-264
Exploitation vector Local
Public exploit N/A
Vulnerable software
 mutt (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Privilege escalation

EUVDB-ID: #VU13970

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-14356

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to improper handling of a zero-length unique identifier (UID) by the pop.c code. A local attacker can manipulate the UID value assigned to an email message and cause the service to crash or execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

mutt (Alpine package): 1.5.21-r0 - 1.10.0-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=0d3886cdea880fe65aff164040ab54f9e2d5ee93
https://git.alpinelinux.org/aports/commit/?id=7b76ef5a44a34f2aa0ab6dcbd05653a7f384d5cd
https://git.alpinelinux.org/aports/commit/?id=8096bf545fbce05d5535cb01173187a08a4e7f14
https://git.alpinelinux.org/aports/commit/?id=e16a7290cad51651c51b16468159e0bb5a11f234


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###