Input validation error in fribidi

#VU62021 Input validation error in fribidi

Published: 2022-04-08 | Updated: 2022-12-02

Vulnerability identifier: #VU62021

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25310

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
fribidi
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to improper handling of empty input when removing marks from unicode strings. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

fribidi: 0.19.4 - 1.0.11

External links
http://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

VMware Tanzu products update for FriBidi

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.1

Ubuntu update for fribidi

Multiple vulnerabilities in Red Hat Migration Toolkit for Applications

Multiple vulnerabilities in Migration Toolkit for Runtimes

Multiple vulnerabilities in OpenShift Virtualization 4.12

Multiple vulnerabilities in Migration Toolkit for Containers (MTC)

IBM App Connect Enterprise Certified Container update for fribidi

Multiple vulnerabilities in OpenShift Virtualization 4.11