Vulnerability Details : CVE-2013-4237
Potential exploit
sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2013-4237
- cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.13:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.14:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.16:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.15:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.17:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4237
1.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4237
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-4237
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4237
-
http://www.ubuntu.com/usn/USN-1991-1
USN-1991-1: GNU C Library vulnerabilities | Ubuntu security notices
-
http://www.securityfocus.com/bid/61729
GNU glibc CVE-2013-4237 Remote Buffer Overflow Vulnerability
-
http://secunia.com/advisories/55113
Sign in
-
https://security.gentoo.org/glsa/201503-04
GNU C Library: Multiple vulnerabilities (GLSA 201503-04) — Gentoo security
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:283
mandriva.com
-
https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Ba=commitdiff%3Bh=91ce40854d0b7f865cf5024ef95a8026b76096f3
sourceware.org Git
-
https://bugzilla.redhat.com/show_bug.cgi?id=995839
995839 – (CVE-2013-4237) CVE-2013-4237 glibc: Buffer overwrite when using readdir_r on file systems returning file names longer than NAME_MAX charactersPatch
-
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
14699 – (CVE-2013-4237) readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)Patch
-
http://www.openwall.com/lists/oss-security/2013/08/12/8
oss-security - Re: CVE Request -- glibc: Buffer overwrite when using readdir_r on file systems returning file names longer than NAME_MAX charactersPatch
Jump to