Arbitrary code execution in Irssi - CVE-2016-7044
Published: September 22, 2016 / Updated: September 23, 2016
Vulnerability identifier: #VU632
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-7044
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Irssi.org
Affected software:
Irssi
Irssi
Detailed vulnerability description
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in format_send_to_gui() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in format_send_to_gui() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
How to mitigate CVE-2016-7044
Update to 0.8.20.