Improper input validation in prayer (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-0898 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ruby (Alpine package) Operating systems & Components / Operating system package or component prayer (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper input validation
EUVDB-ID: #VU8447
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-0898
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or obtain potentially sensitive information on the target system.
The weakness exists due to buffer underrun in the Kernel.sprintf() method. A remote attacker can provide a specially crafted format string value to cause the target interpreter to crash or potentially access data from the heap.
Successful exploitation of the vulnerability results in information disclosure or denial of service.
Install update from vendor's website.
Vulnerable software versionsruby (Alpine package): 2.5.0-r0 - 2.7.1-r5
prayer (Alpine package): 1.3.5-r5
ruby (Alpine package):
External linkshttp://git.alpinelinux.org/aports/commit/?id=00e11164a40032afe167743eee57220f912bbc06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
