CVE-2017-10685

CWE-134 — Uncontrolled Format String9 documents8 sources

Severity

9.8CRITICAL

EPSS

1.5%

top 18.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Ncurses

Timeline

PublishedJun 29

Latest updateMay 26

Description

In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Debianncurses< 6.0+20170701-1+3

▶NVDgnu/ncurses6.0

🔴Vulnerability Details

OSV

ncurses vulnerabilities↗2022-05-26

▶

GHSA

GHSA-67w6-7r3q-87w7: In ncurses 6↗2022-05-13

▶

CVEList

CVE-2017-10685: In ncurses 6↗2017-06-29

▶

OSV

CVE-2017-10685: In ncurses 6↗2017-06-29

▶

📋Vendor Advisories

Ubuntu

ncurses vulnerabilities↗2022-05-26

▶

Red Hat

ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function↗2017-06-24

▶

Debian

CVE-2017-10685: ncurses - In ncurses 6.0, there is a format string vulnerability in the fmt_entry function...↗2017

▶

💬Community

Bugzilla

CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function↗2017-07-20

▶