CVE-2023-38253 : An out-of-bounds read flaw was found in w3m, in the growbuf_to

An out-of-bounds read flaw was found in w3m, in the growbuf_to_Str function in indep.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.

Published 2023-07-14 18:15:11

Updated 2024-03-27 03:15:10

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-38253

Redhat » Enterprise Linux » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 38
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Extra Packages For Enterprise Linux » Version: 8.0
cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Tats » W3M » Version: 0.5.3+git20230121
cpe:2.3:a:tats:w3m:0.5.3\+git20230121:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2023-38253

Top countries where our scanners detected CVE-2023-38253

Top open port discovered on systems with this issue 53

IPs affected by CVE-2023-38253 14,464

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2023-38253!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2023-38253

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 1 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-38253

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
4.7	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H	1.0	3.6	Red Hat, Inc.
Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-38253

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2023-38253

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TODROGVCWZ435HQIZE6ARQC5LPQLIA5C/

[SECURITY] Fedora 39 Update: w3m-0.5.3-63.git20230121.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKFZQUK7FPWWJQYICDZZ4YWIPUPQ2D3R/

[SECURITY] Fedora 38 Update: w3m-0.5.3-63.git20230121.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://access.redhat.com/security/cve/CVE-2023-38253

CVE-2023-38253- Red Hat Customer Portal
Third Party Advisory
https://github.com/tats/w3m/issues/271

[BUG] Out-of-bound read in growbuf_to_Str , indep.c:441 · Issue #271 · tats/w3m · GitHub
Exploit;Issue Tracking;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2222779

2222779 – (CVE-2023-38253) CVE-2023-38253 w3m: Out of bounds read in growbuf_to_Str() at w3m/indep.c
Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AULOBQJLXE2KCT5UVQMKGEFL4GFIAOED/

[SECURITY] Fedora 40 Update: w3m-0.5.3-63.git20230121.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url