Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-8904 |
CWE-ID | CWE-125 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
file (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU17829
Risk: Low
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-8904
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to stack-based buffer over-read in the do_core_note function, as defined in the readelf.c source code file. A remote attacker can trick the victim into executing a file that submits malicious input to the targeted system with the file command, trigger memory corruption and gain access to arbitrary data or perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsfile (Alpine package): 5.35-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=6d181d271ac91ff2d8302855abd03d6a2be5dc27
http://git.alpinelinux.org/aports/commit/?id=9e177e38d94223a06ed62c20ac5ba1e4c0fecf1c
http://git.alpinelinux.org/aports/commit/?id=dc538f4f70353a02d01dac905fb662412befffbe
http://git.alpinelinux.org/aports/commit/?id=33bd61f256dd1826d6a7df5ebb8a9e2fc1125ce1
http://git.alpinelinux.org/aports/commit/?id=867138742023dde9397648e41743a9173432a7b2
http://git.alpinelinux.org/aports/commit/?id=8b903beb77c68c97ba0aa36e58b6750edc06ca78
http://git.alpinelinux.org/aports/commit/?id=27d87cf2365bff16337278a4e93a16df7f33f2e4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.