Vulnerability Details : CVE-2008-2363
The PartsBatch class in Pan 0.132 and earlier does not properly manage the data structures for Parts batches, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted .nzb file that triggers a heap-based buffer overflow.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2008-2363
- cpe:2.3:a:pan:pan:*:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.129:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.130:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.124:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.123:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.115:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.114:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.107:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.106:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.126:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.125:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.117:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.116:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.109:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.108:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.128:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.127:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.119:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.118:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.111:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.110:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.131:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.122:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.121:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.120:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.113:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.112:*:*:*:*:*:*:*
- cpe:2.3:a:pan:pan:0.105:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2363
4.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2363
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2008-2363
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-2363
-
Red Hat 2008-06-03Not vulnerable. This issue did not affect the versions of pan as shipped with Red Hat Enterprise Linux 2.1. No other versions of Red Hat Enterprise Linux have shipped Pan.
References for CVE-2008-2363
-
http://bugs.gentoo.org/show_bug.cgi?id=224051
224051 – (CVE-2008-2363) net-nntp/pan <0.132-r3 Buffer overflow parsing *.nzb files (CVE-2008-2363)Patch
-
https://bugzilla.redhat.com/show_bug.cgi?id=446902
446902 – (CVE-2008-2363) CVE-2008-2363 pan: heap overflow caused by large *.nzb files
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:201
Mandriva
-
http://www.securityfocus.com/bid/29421
Patch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/42750
Pan .nzb file buffer overflow CVE-2008-2363 Vulnerability Report
-
http://marc.info/?l=oss-security&m=121207185600564&w=2
'[oss-security] CVE-2008-2363: pan - heap overflow' - MARCPatch
-
http://security.gentoo.org/glsa/glsa-200807-15.xml
Pan: User-assisted execution of arbitrary code (GLSA 200807-15) — Gentoo security
-
http://bugzilla.gnome.org/show_bug.cgi?id=535413
Bug 535413 – [Security] CVE-2008-2363 Buffer overflow in pan when parsing *.nzb filesPatch
-
http://www.novell.com/linux/security/advisories/2008_13_sr.html
404 Page Not Found | SUSE
Jump to