CVE-2015-5277 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Glibc

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-300 — Channel Accessible by Non-Endpoint CWE-494 — Download of Code Without Integrity Check12 documents8 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 72.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Canonical Ubuntu Linux Redhat Enterprise Linux Desktop +3 more

Timeline

PublishedDec 17

Latest updateMay 17

Description

The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages6 packages

▶Debiangnu/glibc< 2.21-1+3

▶NVDgnu/glibc2.19

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_hpc_node7.0

Also affects: Ubuntu Linux 12.04, 14.04, 15.10

🔴Vulnerability Details

GHSA

GHSA-hjm6-jvmc-534p: The get_contents function in nss_files/files-XXX↗2022-05-17

▶

OSV

CVE-2015-5277: The get_contents function in nss_files/files-XXX↗2015-12-17

▶

CVEList

CVE-2015-5277: The get_contents function in nss_files/files-XXX↗2015-12-17

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2016-05-25

▶

Red Hat

glibc: data corruption while reading the NSS files database↗2015-09-14

▶

Red Hat

docker: regression of CVE-2014-5277↗2015-03-27

▶

Debian

CVE-2015-5277: glibc - The get_contents function in nss_files/files-XXX.c in the Name Service Switch (N...↗2015

▶

💬Community

Bugzilla

CVE-2015-5277 glibc: data corruption while reading the NSS files database↗2015-09-14

▶

Bugzilla

CVE-2015-5277 glibc: nss_files doesn't detect ERANGE problems correctly [rhel-7.3]↗2014-05-19

▶