Описание
Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.
A flaw was found in the Apache Portable Runtime Utility (APR-util) library. This issue may allow a malicious attacker to cause an out-of-bounds write due to an integer overflow when encoding/decoding a very long string using the base64 family of functions.
Отчет
The Apache Portable Runtime Utility (APR-util) library contains additional utility interfaces for APR (Apache Portable Runtime). This vulnerability is related to the incorrect usage of the base64 encoding/decoding family of functions through APR-util API. Usage of these functions with long enough string would cause integer overflow and will lead to out-of-bound write. This flaw was rated with an important severity for a moment as Red Hat received information that this vulnerability potentially can allow remote attackers to cause a denial of service to the application linked to the APR-util library. Deep analysis confirmed that there are no known conditions that could lead to DoS. Additionally the APR-util API should not be exposed to the untrusted uploads and usage.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | apr-util | Out of support scope | ||
| JBCS httpd 2.4.51.sp2 | jbcs-httpd24-apr-util | Fixed | RHSA-2023:3355 | 05.06.2023 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr-util | Fixed | RHSA-2023:3354 | 05.06.2023 |
| JBoss Core Services on RHEL 7 | jbcs-httpd24-apr-util | Fixed | RHSA-2023:3354 | 05.06.2023 |
| Red Hat Enterprise Linux 7 | apr-util | Fixed | RHSA-2023:3145 | 16.05.2023 |
| Red Hat Enterprise Linux 8 | apr-util | Fixed | RHSA-2023:3109 | 16.05.2023 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | apr-util | Fixed | RHSA-2023:3177 | 17.05.2023 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | apr-util | Fixed | RHSA-2023:3380 | 31.05.2023 |
| Red Hat Enterprise Linux 8.2 Telecommunications Update Service | apr-util | Fixed | RHSA-2023:3380 | 31.05.2023 |
| Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions | apr-util | Fixed | RHSA-2023:3380 | 31.05.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.
Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.
Integer Overflow or Wraparound vulnerability in apr_base64 functions o ...
EPSS
6.5 Medium
CVSS3