Vulnerability Details : CVE-2014-9636
unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression.
Vulnerability category: OverflowDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2014-9636
Probability of exploitation activity in the next 30 days: 25.88%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-9636
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-9636
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9636
-
https://security.gentoo.org/glsa/201611-01
UnZip: Multiple vulnerabilities (GLSA 201611-01) — Gentoo security
-
http://www.securityfocus.com/bid/71825
Info-ZIP UnZip Out of Bounds Denial of Service Vulnerability
-
http://seclists.org/oss-sec/2015/q1/216
oss-sec: Re: CVE Request: Info-ZIP unzip 6.0
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
Oracle Solaris Third Party Bulletin - April 2015
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148792.html
[SECURITY] Fedora 21 Update: unzip-6.0-18.fc21
-
http://www.debian.org/security/2015/dsa-3152
Debian -- Security Information -- DSA-3152-1 unzip
-
http://seclists.org/oss-sec/2014/q4/1131
oss-sec: CVE Request: Info-ZIP unzip 6.0
-
http://www.ubuntu.com/usn/USN-2489-1
USN-2489-1: unzip vulnerability | Ubuntu security notices
-
http://seclists.org/oss-sec/2014/q4/496
oss-sec: Re: unzip -t crasher
-
http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
Encountered a 404 errorPatch;Vendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148849.html
[SECURITY] Fedora 20 Update: unzip-6.0-15.fc20
-
http://seclists.org/oss-sec/2014/q4/489
oss-sec: unzip -t crasher
Products affected by CVE-2014-9636
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:a:unzip_project:unzip:6.0:*:*:*:*:*:*:*