Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    19 vulnerabilities by GNU Project

    JVNDB-2025-000104

    Vulnerability from jvndb - Published: 2025-11-10 15:07 - Updated:2025-11-10 15:07
    Severity
    Summary
    Multiple vulnerabilities in GNU Libmicrohttpd
    Details
    GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities listed below.
    • NULL pointer dereference (CWE-476) - CVE-2025-59777
    • Heap-based buffer overflow (CWE-122) - CVE-2025-62689
    Tatsuhiko Yasumatsu of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000104.html",
      "dc:date": "2025-11-10T15:07+09:00",
      "dcterms:issued": "2025-11-10T15:07+09:00",
      "dcterms:modified": "2025-11-10T15:07+09:00",
      "description": "GNU Libmicrohttpd provided by GNU Project contains multiple vulnerabilities listed below.\r\n\u003cul\u003e\r\n\u003cli\u003eNULL pointer dereference (CWE-476) - CVE-2025-59777\u003c/li\u003e\r\n\u003cli\u003eHeap-based buffer overflow (CWE-122) - CVE-2025-62689\u003c/li\u003e\r\n\u003c/ul\u003e\r\nTatsuhiko Yasumatsu of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2025/JVNDB-2025-000104.html",
      "sec:cpe": {
        "#text": "cpe:/a:gnu:gnu_libmicrohttpd",
        "@product": "GNU Libmicrohttpd",
        "@vendor": "GNU Project",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "7.5",
        "@severity": "High",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2025-000104",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN76719218/index.html",
          "@id": "JVN#76719218",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-59777",
          "@id": "CVE-2025-59777",
          "@source": "CVE"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2025-62689",
          "@id": "CVE-2025-62689",
          "@source": "CVE"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-119",
          "@title": "Buffer Errors(CWE-119)"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "Multiple vulnerabilities in GNU Libmicrohttpd"
    }

    JVNDB-2019-000022

    Vulnerability from jvndb - Published: 2019-04-03 14:58 - Updated:2019-09-30 18:08
    Severity
    Summary
    GNU Wget vulnerable to buffer overflow
    Details
    GNU Wget contains a buffer overflow vulnerability (CWE-119). Kusano Kazuhiko reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000022.html",
      "dc:date": "2019-09-30T18:08+09:00",
      "dcterms:issued": "2019-04-03T14:58+09:00",
      "dcterms:modified": "2019-09-30T18:08+09:00",
      "description": "GNU Wget contains a buffer overflow vulnerability (CWE-119).\r\n\r\nKusano Kazuhiko reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000022.html",
      "sec:cpe": {
        "#text": "cpe:/a:gnu:wget",
        "@product": "GNU Wget",
        "@vendor": "GNU Project",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "6.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "@version": "2.0"
        },
        {
          "@score": "8.8",
          "@severity": "High",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2019-000022",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN25261088/index.html",
          "@id": "JVN#25261088",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953",
          "@id": "CVE-2019-5953",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5953",
          "@id": "CVE-2019-5953",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-119",
          "@title": "Buffer Errors(CWE-119)"
        }
      ],
      "title": "GNU Wget vulnerable to buffer overflow"
    }

    JVNDB-2018-000067

    Vulnerability from jvndb - Published: 2018-06-28 12:30 - Updated:2019-07-24 15:21
    Severity
    Summary
    Mailman vulnerable to cross-site scripting
    Details
    Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability (CWE-79). Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000067.html",
      "dc:date": "2019-07-24T15:21+09:00",
      "dcterms:issued": "2018-06-28T12:30+09:00",
      "dcterms:modified": "2019-07-24T15:21+09:00",
      "description": "Mailman provided by GNU Mailman contains a stored cross-site scripting vulnerability (CWE-79).\r\n\r\nToshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000067.html",
      "sec:cpe": {
        "#text": "cpe:/a:gnu:mailman",
        "@product": "GNU Mailman",
        "@vendor": "GNU Project",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "4.8",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2018-000067",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN00846677/index.html",
          "@id": "JVN#00846677",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0618",
          "@id": "CVE-2018-0618",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0618",
          "@id": "CVE-2018-0618",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Mailman vulnerable to cross-site scripting"
    }

    CVE-2025-62689 (GCVE-0-2025-62689)

    Vulnerability from nvd – Published: 2025-11-10 04:10 – Updated: 2025-11-14 18:01
    VLAI
    Summary
    NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU libbmicrohttpd Affected: v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository
    Affected: after the v1.0.2 tag.)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62689",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-14T18:01:50.566603Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-14T18:01:56.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GNU libbmicrohttpd",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository"
                },
                {
                  "status": "affected",
                  "version": "after the v1.0.2 tag.)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based buffer overflow",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-10T04:10:57.970Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.gnu.org/software/libmicrohttpd/"
            },
            {
              "url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN76719218/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-62689",
        "datePublished": "2025-11-10T04:10:57.970Z",
        "dateReserved": "2025-11-03T23:35:49.815Z",
        "dateUpdated": "2025-11-14T18:01:56.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59777 (GCVE-0-2025-59777)

    Vulnerability from nvd – Published: 2025-11-10 04:10 – Updated: 2025-11-10 21:41
    VLAI
    Summary
    NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL pointer dereference
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU libbmicrohttpd Affected: v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository
    Affected: after the v1.0.2 tag.)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59777",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T21:40:57.327820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T21:41:04.217Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GNU libbmicrohttpd",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository"
                },
                {
                  "status": "affected",
                  "version": "after the v1.0.2 tag.)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "NULL pointer dereference",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-10T04:10:44.836Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.gnu.org/software/libmicrohttpd/"
            },
            {
              "url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN76719218/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-59777",
        "datePublished": "2025-11-10T04:10:44.836Z",
        "dateReserved": "2025-11-03T23:35:54.488Z",
        "dateUpdated": "2025-11-10T21:41:04.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-28736 (GCVE-0-2022-28736)

    Vulnerability from nvd – Published: 2023-07-20 00:23 – Updated: 2025-02-13 16:32
    VLAI
    Title
    There's a use-after-free vulnerability in grub_cmd_chainloader() function
    Summary
    There's a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn't support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2's memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Chris Coulson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.084Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28736"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T18:53:03.377740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T18:53:12.420Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Coulson"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There\u0027s a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn\u0027t support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2\u0027s memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:14.346Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28736"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "There\u0027s a use-after-free vulnerability in grub_cmd_chainloader() function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28736",
        "datePublished": "2023-07-20T00:23:01.952Z",
        "dateReserved": "2022-04-05T21:59:08.761Z",
        "dateUpdated": "2025-02-13T16:32:37.356Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28735 (GCVE-0-2022-28735)

    Vulnerability from nvd – Published: 2023-07-20 00:22 – Updated: 2025-02-13 16:32
    VLAI
    Summary
    The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Julian Andres Klode
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.586Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28735"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28735",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T19:20:44.888610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T19:20:56.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Julian Andres Klode"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The GRUB2\u0027s shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:17.633Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28735"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28735",
        "datePublished": "2023-07-20T00:22:51.229Z",
        "dateReserved": "2022-04-05T21:59:08.760Z",
        "dateUpdated": "2025-02-13T16:32:36.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28734 (GCVE-0-2022-28734)

    Vulnerability from nvd – Published: 2023-07-20 00:22 – Updated: 2025-02-13 16:32
    VLAI
    Title
    Out-of-bounds write when handling split HTTP headers
    Summary
    Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Daniel Axtens
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.014Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28734"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Axtens"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It\u0027s conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2\u0027s internal memory metadata."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:16.044Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28734"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "Out-of-bounds write when handling split HTTP headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28734",
        "datePublished": "2023-07-20T00:22:37.840Z",
        "dateReserved": "2022-04-05T21:59:08.760Z",
        "dateUpdated": "2025-02-13T16:32:36.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28733 (GCVE-0-2022-28733)

    Vulnerability from nvd – Published: 2023-07-20 00:20 – Updated: 2025-02-13 16:32
    VLAI
    Title
    Integer underflow in grub_net_recv_ip4_packets
    Summary
    Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Daniel Axtens
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.571Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28733"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28733",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T19:49:29.972519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T19:49:41.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Axtens"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm-\u003etotal_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:12.648Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28733"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "Integer underflow in grub_net_recv_ip4_packets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28733",
        "datePublished": "2023-07-20T00:20:02.458Z",
        "dateReserved": "2022-04-05T21:59:08.759Z",
        "dateUpdated": "2025-02-13T16:32:35.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-13090 (GCVE-0-2017-13090)

    Vulnerability from nvd – Published: 2017-10-27 19:00 – Updated: 2024-09-16 18:23
    VLAI
    Title
    GNU Wget: heap overflow in HTTP protocol handling
    Summary
    The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    GNU Project Wget Affected: prior to 1.19.2
    Create a notification for this product.
    Date Public
    2017-10-27 00:00
    Credits
    Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T18:58:12.303Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
              },
              {
                "name": "101590",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101590"
              },
              {
                "name": "GLSA-201711-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201711-06"
              },
              {
                "name": "DSA-4008",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2017/dsa-4008"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
              },
              {
                "name": "1039661",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039661"
              },
              {
                "name": "RHSA-2017:3075",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3075"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "any"
              ],
              "product": "Wget",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.19.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            }
          ],
          "datePublic": "2017-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-12-29T13:57:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
            },
            {
              "name": "101590",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101590"
            },
            {
              "name": "GLSA-201711-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201711-06"
            },
            {
              "name": "DSA-4008",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2017/dsa-4008"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
            },
            {
              "name": "1039661",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039661"
            },
            {
              "name": "RHSA-2017:3075",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3075"
            }
          ],
          "title": "GNU Wget: heap overflow in HTTP protocol handling",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2017-10-27T15:00:00.000Z",
              "ID": "CVE-2017-13090",
              "STATE": "PUBLIC",
              "TITLE": "GNU Wget: heap overflow in HTTP protocol handling"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Wget",
                          "version": {
                            "version_data": [
                              {
                                "platform": "any",
                                "version_value": "prior to 1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "GNU Project"
                  }
                ]
              }
            },
            "credit": [
              "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122: Heap-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html",
                  "refsource": "MISC",
                  "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
                },
                {
                  "name": "101590",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101590"
                },
                {
                  "name": "GLSA-201711-06",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201711-06"
                },
                {
                  "name": "DSA-4008",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2017/dsa-4008"
                },
                {
                  "name": "https://www.synology.com/support/security/Synology_SA_17_62_Wget",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
                },
                {
                  "name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba",
                  "refsource": "CONFIRM",
                  "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
                },
                {
                  "name": "1039661",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039661"
                },
                {
                  "name": "RHSA-2017:3075",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3075"
                }
              ]
            },
            "solution": "Patch to Wget 1.19.2 or equivalent version from your operating system distribution."
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2017-13090",
        "datePublished": "2017-10-27T19:00:00.000Z",
        "dateReserved": "2017-08-22T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:23:48.006Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-13089 (GCVE-0-2017-13089)

    Vulnerability from nvd – Published: 2017-10-27 19:00 – Updated: 2024-09-17 01:15
    VLAI
    Title
    GNU Wget: stack overflow in HTTP protocol handling
    Summary
    The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    GNU Project Wget Affected: prior to 1.19.2
    Create a notification for this product.
    Date Public
    2017-10-27 00:00
    Credits
    Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T18:58:12.341Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
              },
              {
                "name": "GLSA-201711-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201711-06"
              },
              {
                "name": "DSA-4008",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2017/dsa-4008"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
              },
              {
                "name": "101592",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101592"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/r1b/CVE-2017-13089"
              },
              {
                "name": "1039661",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039661"
              },
              {
                "name": "RHSA-2017:3075",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3075"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "any"
              ],
              "product": "Wget",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.19.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            }
          ],
          "datePublic": "2017-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-12-29T13:57:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
            },
            {
              "name": "GLSA-201711-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201711-06"
            },
            {
              "name": "DSA-4008",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2017/dsa-4008"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
            },
            {
              "name": "101592",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101592"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/r1b/CVE-2017-13089"
            },
            {
              "name": "1039661",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039661"
            },
            {
              "name": "RHSA-2017:3075",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3075"
            }
          ],
          "title": "GNU Wget: stack overflow in HTTP protocol handling",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2017-10-27T15:00:00.000Z",
              "ID": "CVE-2017-13089",
              "STATE": "PUBLIC",
              "TITLE": "GNU Wget: stack overflow in HTTP protocol handling"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Wget",
                          "version": {
                            "version_data": [
                              {
                                "platform": "any",
                                "version_value": "prior to 1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "GNU Project"
                  }
                ]
              }
            },
            "credit": [
              "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html",
                  "refsource": "MISC",
                  "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
                },
                {
                  "name": "GLSA-201711-06",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201711-06"
                },
                {
                  "name": "DSA-4008",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2017/dsa-4008"
                },
                {
                  "name": "https://www.synology.com/support/security/Synology_SA_17_62_Wget",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
                },
                {
                  "name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f",
                  "refsource": "CONFIRM",
                  "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
                },
                {
                  "name": "101592",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101592"
                },
                {
                  "name": "https://github.com/r1b/CVE-2017-13089",
                  "refsource": "MISC",
                  "url": "https://github.com/r1b/CVE-2017-13089"
                },
                {
                  "name": "1039661",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039661"
                },
                {
                  "name": "RHSA-2017:3075",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3075"
                }
              ]
            },
            "solution": "Patch to Wget 1.19.2 or equivalent version from your operating system distribution."
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2017-13089",
        "datePublished": "2017-10-27T19:00:00.000Z",
        "dateReserved": "2017-08-22T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:15:49.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-62689 (GCVE-0-2025-62689)

    Vulnerability from cvelistv5 – Published: 2025-11-10 04:10 – Updated: 2025-11-14 18:01
    VLAI
    Summary
    NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based buffer overflow
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU libbmicrohttpd Affected: v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository
    Affected: after the v1.0.2 tag.)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62689",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-14T18:01:50.566603Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-14T18:01:56.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GNU libbmicrohttpd",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository"
                },
                {
                  "status": "affected",
                  "version": "after the v1.0.2 tag.)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "Heap-based buffer overflow",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-10T04:10:57.970Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.gnu.org/software/libmicrohttpd/"
            },
            {
              "url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN76719218/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-62689",
        "datePublished": "2025-11-10T04:10:57.970Z",
        "dateReserved": "2025-11-03T23:35:49.815Z",
        "dateUpdated": "2025-11-14T18:01:56.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59777 (GCVE-0-2025-59777)

    Vulnerability from cvelistv5 – Published: 2025-11-10 04:10 – Updated: 2025-11-10 21:41
    VLAI
    Summary
    NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL pointer dereference
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU libbmicrohttpd Affected: v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository
    Affected: after the v1.0.2 tag.)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59777",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T21:40:57.327820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T21:41:04.217Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GNU libbmicrohttpd",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "v1.0.2 and earlier (The vulnerability remains in the source code up until commit ff13abc on the master branch of the libmicrohttpd Git repository"
                },
                {
                  "status": "affected",
                  "version": "after the v1.0.2 tag.)"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "NULL pointer dereference",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-10T04:10:44.836Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "https://www.gnu.org/software/libmicrohttpd/"
            },
            {
              "url": "https://git.gnunet.org/libmicrohttpd.git/commit/?id=ff13abc1c1d7d2b30d69d5c0bd4a237e1801c50b"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN76719218/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2025-59777",
        "datePublished": "2025-11-10T04:10:44.836Z",
        "dateReserved": "2025-11-03T23:35:54.488Z",
        "dateUpdated": "2025-11-10T21:41:04.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-28736 (GCVE-0-2022-28736)

    Vulnerability from cvelistv5 – Published: 2023-07-20 00:23 – Updated: 2025-02-13 16:32
    VLAI
    Title
    There's a use-after-free vulnerability in grub_cmd_chainloader() function
    Summary
    There's a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn't support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2's memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Chris Coulson
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.084Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28736"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T18:53:03.377740Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T18:53:12.420Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Coulson"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "There\u0027s a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn\u0027t support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2\u0027s memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:14.346Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28736"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "There\u0027s a use-after-free vulnerability in grub_cmd_chainloader() function"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28736",
        "datePublished": "2023-07-20T00:23:01.952Z",
        "dateReserved": "2022-04-05T21:59:08.761Z",
        "dateUpdated": "2025-02-13T16:32:37.356Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28735 (GCVE-0-2022-28735)

    Vulnerability from cvelistv5 – Published: 2023-07-20 00:22 – Updated: 2025-02-13 16:32
    VLAI
    Summary
    The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Julian Andres Klode
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.586Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28735"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28735",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T19:20:44.888610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T19:20:56.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Julian Andres Klode"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The GRUB2\u0027s shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:17.633Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28735"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28735",
        "datePublished": "2023-07-20T00:22:51.229Z",
        "dateReserved": "2022-04-05T21:59:08.760Z",
        "dateUpdated": "2025-02-13T16:32:36.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28734 (GCVE-0-2022-28734)

    Vulnerability from cvelistv5 – Published: 2023-07-20 00:22 – Updated: 2025-02-13 16:32
    VLAI
    Title
    Out-of-bounds write when handling split HTTP headers
    Summary
    Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Daniel Axtens
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.014Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28734"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Axtens"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It\u0027s conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2\u0027s internal memory metadata."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:16.044Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28734"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "Out-of-bounds write when handling split HTTP headers"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28734",
        "datePublished": "2023-07-20T00:22:37.840Z",
        "dateReserved": "2022-04-05T21:59:08.760Z",
        "dateUpdated": "2025-02-13T16:32:36.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-28733 (GCVE-0-2022-28733)

    Vulnerability from cvelistv5 – Published: 2023-07-20 00:20 – Updated: 2025-02-13 16:32
    VLAI
    Title
    Integer underflow in grub_net_recv_ip4_packets
    Summary
    Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    GNU Project GNU GRUB Affected: 0 , < 2.06-3 (semver)
    Create a notification for this product.
    Date Public
    2022-06-13 00:00
    Credits
    Daniel Axtens
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T06:03:52.571Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "mailing-list",
                  "x_transferred"
                ],
                "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
              },
              {
                "tags": [
                  "issue-tracking",
                  "x_transferred"
                ],
                "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28733"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-28733",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T19:49:29.972519Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-24T19:49:41.076Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "grub2",
              "platforms": [
                "Linux"
              ],
              "product": "GNU GRUB",
              "repo": "https://git.savannah.gnu.org/cgit/grub.git",
              "vendor": "GNU Project",
              "versions": [
                {
                  "lessThan": "2.06-3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Daniel Axtens"
            }
          ],
          "datePublic": "2022-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm-\u003etotal_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-25T22:06:12.648Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28733"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20230825-0002/"
            }
          ],
          "title": "Integer underflow in grub_net_recv_ip4_packets"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2022-28733",
        "datePublished": "2023-07-20T00:20:02.458Z",
        "dateReserved": "2022-04-05T21:59:08.759Z",
        "dateUpdated": "2025-02-13T16:32:35.678Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-13090 (GCVE-0-2017-13090)

    Vulnerability from cvelistv5 – Published: 2017-10-27 19:00 – Updated: 2024-09-16 18:23
    VLAI
    Title
    GNU Wget: heap overflow in HTTP protocol handling
    Summary
    The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer.
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    GNU Project Wget Affected: prior to 1.19.2
    Create a notification for this product.
    Date Public
    2017-10-27 00:00
    Credits
    Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T18:58:12.303Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
              },
              {
                "name": "101590",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101590"
              },
              {
                "name": "GLSA-201711-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201711-06"
              },
              {
                "name": "DSA-4008",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2017/dsa-4008"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
              },
              {
                "name": "1039661",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039661"
              },
              {
                "name": "RHSA-2017:3075",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3075"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "any"
              ],
              "product": "Wget",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.19.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            }
          ],
          "datePublic": "2017-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122: Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-12-29T13:57:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
            },
            {
              "name": "101590",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101590"
            },
            {
              "name": "GLSA-201711-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201711-06"
            },
            {
              "name": "DSA-4008",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2017/dsa-4008"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
            },
            {
              "name": "1039661",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039661"
            },
            {
              "name": "RHSA-2017:3075",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3075"
            }
          ],
          "title": "GNU Wget: heap overflow in HTTP protocol handling",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2017-10-27T15:00:00.000Z",
              "ID": "CVE-2017-13090",
              "STATE": "PUBLIC",
              "TITLE": "GNU Wget: heap overflow in HTTP protocol handling"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Wget",
                          "version": {
                            "version_data": [
                              {
                                "platform": "any",
                                "version_value": "prior to 1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "GNU Project"
                  }
                ]
              }
            },
            "credit": [
              "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-122: Heap-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html",
                  "refsource": "MISC",
                  "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
                },
                {
                  "name": "101590",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101590"
                },
                {
                  "name": "GLSA-201711-06",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201711-06"
                },
                {
                  "name": "DSA-4008",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2017/dsa-4008"
                },
                {
                  "name": "https://www.synology.com/support/security/Synology_SA_17_62_Wget",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
                },
                {
                  "name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba",
                  "refsource": "CONFIRM",
                  "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba"
                },
                {
                  "name": "1039661",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039661"
                },
                {
                  "name": "RHSA-2017:3075",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3075"
                }
              ]
            },
            "solution": "Patch to Wget 1.19.2 or equivalent version from your operating system distribution."
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2017-13090",
        "datePublished": "2017-10-27T19:00:00.000Z",
        "dateReserved": "2017-08-22T00:00:00.000Z",
        "dateUpdated": "2024-09-16T18:23:48.006Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-13089 (GCVE-0-2017-13089)

    Vulnerability from cvelistv5 – Published: 2017-10-27 19:00 – Updated: 2024-09-17 01:15
    VLAI
    Title
    GNU Wget: stack overflow in HTTP protocol handling
    Summary
    The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.
    CWE
    • CWE-121 - Stack-based Buffer Overflow
    Assigner
    References
    Impacted products
    Vendor Product Version
    GNU Project Wget Affected: prior to 1.19.2
    Create a notification for this product.
    Date Public
    2017-10-27 00:00
    Credits
    Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T18:58:12.341Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
              },
              {
                "name": "GLSA-201711-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/201711-06"
              },
              {
                "name": "DSA-4008",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2017/dsa-4008"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
              },
              {
                "name": "101592",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/101592"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/r1b/CVE-2017-13089"
              },
              {
                "name": "1039661",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1039661"
              },
              {
                "name": "RHSA-2017:3075",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:3075"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "any"
              ],
              "product": "Wget",
              "vendor": "GNU Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "prior to 1.19.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            }
          ],
          "datePublic": "2017-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121: Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-12-29T13:57:02.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
            },
            {
              "name": "GLSA-201711-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/201711-06"
            },
            {
              "name": "DSA-4008",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2017/dsa-4008"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
            },
            {
              "name": "101592",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/101592"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/r1b/CVE-2017-13089"
            },
            {
              "name": "1039661",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1039661"
            },
            {
              "name": "RHSA-2017:3075",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:3075"
            }
          ],
          "title": "GNU Wget: stack overflow in HTTP protocol handling",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2017-10-27T15:00:00.000Z",
              "ID": "CVE-2017-13089",
              "STATE": "PUBLIC",
              "TITLE": "GNU Wget: stack overflow in HTTP protocol handling"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Wget",
                          "version": {
                            "version_data": [
                              {
                                "platform": "any",
                                "version_value": "prior to 1.19.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "GNU Project"
                  }
                ]
              }
            },
            "credit": [
              "Antti Levom\u00e4ki, Christian Jalio, Joonas Pihlaja from Forcepoint"
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk\u0027s length, but doesn\u0027t check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-121: Stack-based Buffer Overflow"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html",
                  "refsource": "MISC",
                  "url": "https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html"
                },
                {
                  "name": "GLSA-201711-06",
                  "refsource": "GENTOO",
                  "url": "https://security.gentoo.org/glsa/201711-06"
                },
                {
                  "name": "DSA-4008",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2017/dsa-4008"
                },
                {
                  "name": "https://www.synology.com/support/security/Synology_SA_17_62_Wget",
                  "refsource": "CONFIRM",
                  "url": "https://www.synology.com/support/security/Synology_SA_17_62_Wget"
                },
                {
                  "name": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f",
                  "refsource": "CONFIRM",
                  "url": "http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f"
                },
                {
                  "name": "101592",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/101592"
                },
                {
                  "name": "https://github.com/r1b/CVE-2017-13089",
                  "refsource": "MISC",
                  "url": "https://github.com/r1b/CVE-2017-13089"
                },
                {
                  "name": "1039661",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1039661"
                },
                {
                  "name": "RHSA-2017:3075",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:3075"
                }
              ]
            },
            "solution": "Patch to Wget 1.19.2 or equivalent version from your operating system distribution."
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2017-13089",
        "datePublished": "2017-10-27T19:00:00.000Z",
        "dateReserved": "2017-08-22T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:15:49.128Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }