Main Vulnerability Database Vulnerabilities #VU50816

#VU50816 Use-after-free in libzip - CVE-2019-17582

Published: February 21, 2021

Vulnerability identifier: #VU50816

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-17582

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
libzip

Software vendor:
NiH

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the zip_dirent_read() function of zip_dirent.c in libzip. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
https://github.com/nih-at/libzip/issues/5
https://libzip.org/libzip-discuss/

#VU50816 Use-after-free in libzip - CVE-2019-17582

Description

Remediation

External links

Please verify you're human