Buffer overflow in libcurl - CVE-2017-9502
Published: June 16, 2017
Vulnerability identifier: #VU7114
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-9502
CWE-ID: CWE-120
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
libcurl
libcurl
Detailed vulnerability description
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists on Windows-based and DOS-based systems due to buffer overflow when handling malicious input. A local attacker can supply a specially crafted 'file:' URL without the '//' following the colon character, trigger memory corruption and execute arbitrary code on the target system with the privileges of the application using libcurl.
Successful exploitation of the vulnerability may result in full system compromise.
The weakness exists on Windows-based and DOS-based systems due to buffer overflow when handling malicious input. A local attacker can supply a specially crafted 'file:' URL without the '//' following the colon character, trigger memory corruption and execute arbitrary code on the target system with the privileges of the application using libcurl.
Successful exploitation of the vulnerability may result in full system compromise.
How to mitigate CVE-2017-9502
Update to version 7.54.1.