CVE-2016-4579

moderate-risk
Published 2016-06-13

Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl."

Do I need to act?

~
1.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (6)

Libksba

Affected Vendors

Gnupg Canonical Opensuse

References (12)

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git%3Ba=commit%3Bh=a7eed17a0b2...
http://lists.opensuse.org/opensuse-updates/2016-06/msg00028.html
http://www.openwall.com/lists/oss-security/2016/05/10/8
http://www.openwall.com/lists/oss-security/2016/05/11/10
http://www.ubuntu.com/usn/USN-2982-1
https://security.gentoo.org/glsa/201706-22
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git%3Ba=commit%3Bh=a7eed17a0b2...
http://lists.opensuse.org/opensuse-updates/2016-06/msg00028.html
http://www.openwall.com/lists/oss-security/2016/05/10/8
http://www.openwall.com/lists/oss-security/2016/05/11/10
http://www.ubuntu.com/usn/USN-2982-1
https://security.gentoo.org/glsa/201706-22
42
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 13/34 · Low