Vulnerability Details : CVE-2017-17969
Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.
Vulnerability category: OverflowExecute codeDenial of service
Products affected by CVE-2017-17969
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*
- cpe:2.3:a:7-zip:p7zip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-17969
0.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-17969
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2017-17969
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17969
-
https://github.com/p7zip-project/p7zip/issues/7
About the CVE-2017-17969 · Issue #7 · p7zip-project/p7zip · GitHub
-
https://lists.debian.org/debian-lts-announce/2018/02/msg00003.html
[SECURITY] [DLA 1268-1] p7zip security updateMailing List;Third Party Advisory
-
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
7-Zip: Multiple Memory Corruptions via RAR and ZIP | landave's blogExploit;Technical Description;Third Party Advisory
-
http://www.securitytracker.com/id/1040831
7-Zip RAR and ZIP Archive Processing Flaws Let Remote Users Execute Arbitrary Code - SecurityTracker
-
https://usn.ubuntu.com/3913-1/
USN-3913-1: P7ZIP vulnerabilities | Ubuntu security notices
-
https://www.debian.org/security/2018/dsa-4104
Debian -- Security Information -- DSA-4104-1 p7zipThird Party Advisory
-
https://0patch.blogspot.si/2018/02/two-interesting-micropatches-for-7-zip.html
0patch Blog: Two Interesting Micropatches For 7-Zip (CVE-2017-17969 and CVE-2018-5996)
Jump to