#VU35103 Input validation error in ClamAV and Debian Linux


Published: 2019-11-08 | Updated: 2020-08-08

Vulnerability identifier: #VU35103

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2007-6745

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ClamAV
Client/Desktop applications / Antivirus software/Personal firewalls
Debian Linux
Operating systems & Components / Operating system

Vendor: ClamAV
Debian

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

clamav 0.91.2 suffers from a floating point exception when using ScanOLE2.

Mitigation
Install update from vendor's website.

Vulnerable software versions

ClamAV: 0.91.2

Debian Linux: 0.91.2 - 9.0

External links
http://www.openwall.com/lists/oss-security/2012/03/29/2
http://access.redhat.com/security/cve/cve-2007-6745
http://security-tracker.debian.org/tracker/CVE-2007-6745

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in ClamAV