CVE-2017-7555 — Heap-based Buffer Overflow in Augeas

CWE-122 — Heap-based Buffer Overflow CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20 — Improper Input Validation8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

1.2%

top 20.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Augeas Debian Augeas RED HAT INC Augeas

Timeline

PublishedAug 17

Latest updateMay 17

Description

Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/augeas< augeas 1.8.1-1 (bookworm)

▶Debianaugeas/augeas< 1.8.1-1+3

▶NVDaugeas/augeas1.8.0

▶CVEListV5red_hat_inc/augeasup to and including 1.8.0

🔴Vulnerability Details

GHSA

GHSA-r8cq-v6vf-645g: Augeas versions up to and including 1↗2022-05-17

▶

OSV

CVE-2017-7555: Augeas versions up to and including 1↗2017-08-17

▶

📋Vendor Advisories

Ubuntu

Augeas vulnerability↗2017-08-21

▶

Red Hat

augeas: Improper handling of escaped strings leading to memory corruption↗2017-08-17

▶

Debian

CVE-2017-7555: augeas - Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer ov...↗2017

▶

💬Community

Bugzilla

CVE-2017-7555 augeas: Improper handling of escaped strings leading to memory corruption [fedora-all]↗2017-08-17

▶

Bugzilla

CVE-2017-7555 augeas: Improper handling of escaped strings leading to memory corruption↗2017-08-04

▶