CVE-2023-23456

MEDIUM 5.3

Upx: heap-buffer-overflow in packtmt::pack()

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.

CWE	CWE-787
Published	Jan 12, 2023
Last Updated	Dec 11, 2024

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2160381 github.com: https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4 github.com: https://github.com/upx/upx/issues/632 lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EL3BVKIGG3SH6I3KPOYQAWCBD4UMPOPI/ lists.fedoraproject.org: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2024/12/msg00013.html

Credits

Red Hat would like to thank Chenweijia for reporting this issue.