#VU35065 Buffer overflow in ClamAV


Published: 2019-11-15 | Updated: 2020-08-08

Vulnerability identifier: #VU35065

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-7088

CWE-ID: CWE-120

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ClamAV
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor: ClamAV

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ClamAV before 0.97.7 has buffer overflow in the libclamav component

Mitigation
Install update from vendor's website.

Vulnerable software versions

ClamAV: 0.97.0 - 0.97.6

External links
http://security.gentoo.org/glsa/glsa-201405-08.xml
http://www.openwall.com/lists/oss-security/2013/12/13/1
http://www.securityfocus.com/bid/58546
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7088
http://security-tracker.debian.org/tracker/CVE-2013-7088

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Buffer overflow in ClamAV
Gentoo update for ClamAV