Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-10573

Опубликовано: 30 окт. 2024
Источник: redhat
CVSS3: 6.7
EPSS Низкий

Описание

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

Отчет

The Red Hat Product Security team has classified this vulnerability as having a Moderate severity due to the complexity of the attack and the attack vector being generally considered as local.

Меры по смягчению последствий

This vulnerability can be mitigated by using the --no-frankenstein option to the mpg123 application.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7mpg123Out of support scope
Red Hat Enterprise Linux 8mpg123FixedRHSA-2024:1119317.12.2024
Red Hat Enterprise Linux 9mpg123FixedRHSA-2024:1124217.12.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-787
https://bugzilla.redhat.com/show_bug.cgi?id=2322980mpg123: Buffer overflow when writing decoded PCM samples

EPSS

Процентиль: 22%
0.00069
Низкий

6.7 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-10573

CVSS3: 6.7
ubuntu
8 месяцев назад

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

nvd логотип

CVE-2024-10573

CVSS3: 6.7
nvd
8 месяцев назад

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

debian логотип

CVE-2024-10573

CVSS3: 6.7
debian
8 месяцев назад

An out-of-bounds write flaw was found in mpg123 when handling crafted ...

redos логотип

ROS-20241220-02

CVSS3: 6.7
redos
6 месяцев назад

Уязвимость mpg123

rocky логотип

RLSA-2024:11193

rocky
около 2 месяцев назад

Moderate: mpg123 security update

EPSS

Процентиль: 22%
0.00069
Низкий

6.7 Medium

CVSS3