Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2018-20796 CVE-2019-9169 |
CWE-ID | CWE-121 CWE-125 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Glibc Universal components / Libraries / Libraries used by multiple products |
Vendor | GNU |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU17881
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C]
CVE-ID: CVE-2018-20796
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in check_dst_limits_calc_pos_1() function in posix/regexec.c. A local user can pass specially crafted arguments to the application, trigger stack overflow and perform denial of service attack.
Install update from vendor's website.
Vulnerable software versionsGlibc: 1.02 - 2.29
External linkshttp://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU17859
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9169
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack or gain access to sensitive information.
The vulnerability exists due to heap-based buffer over-read via an attempted case-insensitive regular-expression match. A remote attacker can perform a denial of service attack or gain access to sensitive information.
MitigationThe vulnerability is fixed in GIT repository.
Glibc: 2.29
External linkshttp://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
http://sourceware.org/bugzilla/show_bug.cgi?id=24114
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.