CVE-2023-29491
published 2023-04-14CVE-2023-29491: ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| debian | ncurses | < ncurses 6.4-3 (bookworm) | ncurses 6.4-3 (bookworm) |
| gnu | ncurses | < 6.4 | 6.4 |
| gnu | ncurses | >= 0 < 6.2+20201114-2+deb11u2 | 6.2+20201114-2+deb11u2 |
| gnu | ncurses | >= 0 < 6.4-3 | 6.4-3 |
| gnu | ncurses | >= 0 < 6.4-3 | 6.4-3 |
| gnu | ncurses | >= 0 < 6.4-3 | 6.4-3 |
| gnu | ncurses | >= 0 < 6.1-1ubuntu1.18.04.1 | 6.1-1ubuntu1.18.04.1 |
| gnu | ncurses | >= 0 < 6.2-0ubuntu2.1 | 6.2-0ubuntu2.1 |
| gnu | ncurses | >= 0 < 6.3-2ubuntu0.1 | 6.3-2ubuntu0.1 |
| gnu | ncurses | >= 0 < 5.9+20140118-1ubuntu1+esm3 | 5.9+20140118-1ubuntu1+esm3 |
| gnu | ncurses | >= 0 < 6.0+20160213-1ubuntu1+esm3 | 6.0+20160213-1ubuntu1+esm3 |
| msrc | cbl2_ncurses_6.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_ncurses_6.4-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH