CVE-2023-23456
published 2023-01-12CVE-2023-23456: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort)…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.39%
30.8th percentile
A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | upx-ucl | < upx-ucl 3.96-2+deb11u1 (bullseye) | upx-ucl 3.96-2+deb11u1 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| upx | upx | < 2022-11-24 | 2022-11-24 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3j7g-922g-j6r3: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt
ghsa_unreviewed·2023-01-12
CVE-2023-23456 [MEDIUM] CWE-787 GHSA-3j7g-922g-j6r3: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt
A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
OSV
CVE-2023-23456: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt
osv·2023-01-12·CVSS 5.5
CVE-2023-23456 [MEDIUM] CVE-2023-23456: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt
A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
Debian
CVE-2023-23456: upx-ucl - A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p...
vendor_debian·2023·CVSS 5.3
CVE-2023-23456 [MEDIUM] CVE-2023-23456: upx-ucl - A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p...
A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
Scope: local
bullseye: resolved (fixed in 3.96-2+deb11u1)
forky: resolved (fixed in 4.2.2-1)
sid: resolved (fixed in 4.2.2-1)
trixie: resolved (fixed in 4.2.2-1)
No detection rules found.
No public exploits indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=2160381https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4https://github.com/upx/upx/issues/632https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EL3BVKIGG3SH6I3KPOYQAWCBD4UMPOPI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/https://bugzilla.redhat.com/show_bug.cgi?id=2160381https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4https://github.com/upx/upx/issues/632https://lists.debian.org/debian-lts-announce/2024/12/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EL3BVKIGG3SH6I3KPOYQAWCBD4UMPOPI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGEP3FBNRZXGLIA2B2ICMB32JVMPREFZ/
2023-01-12
Published