CVE-2017-2808 - An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CL

CVE-2017-2808

Summary

An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.

References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304
http://www.securityfocus.com/bid/100546
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00029.html
https://security.gentoo.org/glsa/202004-05

Vulnerable Configurations

cpe:2.3:a:ledger-cli:ledger:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:ledger-cli:ledger:3.1.1:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 19-04-2022 - 19:15)
Impact:
Exploitability:

CWE

CWE-416

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	100546
gentoo	GLSA-202004-05
misc	https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304
suse	openSUSE-SU-2019:1779 openSUSE-SU-2019:1895

Last major update

19-04-2022 - 19:15

Published

05-09-2017 - 18:29

Last modified

19-04-2022 - 19:15