Vulnerability Details : CVE-2017-12613
When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
Vulnerability category: Denial of serviceInformation leak
Products affected by CVE-2017-12613
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12613
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12613
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:P |
3.9
|
4.9
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2017-12613
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-12613
-
https://access.redhat.com/errata/RHSA-2018:0316
RHSA-2018:0316 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0465
RHSA-2018:0465 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/101560
Apache Portable Runtime Utility CVE-2017-12613 Multiple Information Disclosure VulnerabilitiesBroken Link
-
https://lists.apache.org/thread.html/12489f2e4a9f9d390235c16298aca0d20658789de80d553513977f13%40%3Cannounce.apache.org%3E
Pony Mail!Issue Tracking;Vendor Advisory
-
https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E
Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 - Pony MailMailing List;Vendor Advisory
-
https://svn.apache.org/viewvc?view=revision&revision=1807976
[Apache-SVN] Revision 1807976Issue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/r270dd5022db194b78acaf509216a33c85f3da43757defa05cc766339@%3Ccommits.apr.apache.org%3E
svn commit: r49582 - /release/apr/patches/apr-1.7.0-CVE-2021-35940.patch - Pony MailMailing List;Patch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:1253
RHSA-2018:1253 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:0466
RHSA-2018:0466 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.apache.org/dist/apr/Announcement1.x.html
Apache Portable Runtime library 1.7.0 ReleasedRelease Notes;Vendor Advisory
-
http://www.securitytracker.com/id/1042004
Apple macOS/OS X Multiple Remote Code Execution, Denial of Service, and Information Disclosure Attacks and Local Privilege Escalation Attacks - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:3270
RHSA-2017:3270 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/01/msg00023.html
[SECURITY] [DLA 2897-1] apr security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3475
RHSA-2017:3475 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/rcc48a0acebbd74bbdeebc02ff228bb72c0631b21823fffe27d4691e9@%3Ccommits.apr.apache.org%3E
Pony Mail!Mailing List;Patch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:3477
RHSA-2017:3477 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:3476
RHSA-2017:3476 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/11/msg00005.html
[SECURITY] [DLA 1162-1] apr security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/08/23/1
oss-security - CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613Mailing List;Third Party Advisory
Jump to