#VU7114 Buffer overflow in libcurl - CVE-2017-9502
Published: June 16, 2017
Vulnerability identifier: #VU7114
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-9502
CWE-ID: CWE-120
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
libcurl
libcurl
Software vendor:
curl.haxx.se
curl.haxx.se
Description
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists on Windows-based and DOS-based systems due to buffer overflow when handling malicious input. A local attacker can supply a specially crafted 'file:' URL without the '//' following the colon character, trigger memory corruption and execute arbitrary code on the target system with the privileges of the application using libcurl.
Successful exploitation of the vulnerability may result in full system compromise.
The weakness exists on Windows-based and DOS-based systems due to buffer overflow when handling malicious input. A local attacker can supply a specially crafted 'file:' URL without the '//' following the colon character, trigger memory corruption and execute arbitrary code on the target system with the privileges of the application using libcurl.
Successful exploitation of the vulnerability may result in full system compromise.
Remediation
Update to version 7.54.1.