CVE-2021-20285Improper Restriction of Operations within the Bounds of a Memory Buffer in Upx-ucl

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-787Out-of-bounds Write4 documents4 sources
Severity
6.6MEDIUMNVD
EPSS
0.2%
top 53.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Upx-uclUPX
Timeline
PublishedMar 26
Latest updateMay 24

Description

A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:HExploitability: 1.8 | Impact: 4.7

Affected Packages3 packages

debiandebian/upx-ucl< upx-ucl 4.2.2-1 (forky)
CVEListV5upx/upxUPX 3.96
NVDupx/upx3.96

🔴Vulnerability Details

2
GHSA
GHSA-9235-qgm5-877x: A flaw was found in upx canPack in p_lx_elf2022-05-24
OSV
CVE-2021-20285: A flaw was found in upx canPack in p_lx_elf2021-03-26

📋Vendor Advisories

1
Debian
CVE-2021-20285: upx-ucl - A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows at...2021
CVE-2021-20285 — Debian Upx-ucl vulnerability | cvebase