CVE-2017-5974

moderate-risk
Published 2017-03-01

Heap-based buffer overflow in the __zzip_get32 function in fetch.c in zziplib 0.13.62, 0.13.61, 0.13.60, 0.13.59, 0.13.58, 0.13.57, 0.13.56 allows remote attackers to cause a denial of service (crash) via a crafted ZIP file.

Do I need to act?

-
0.60% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (9)

Affected Vendors

Gdraheim Debian

References (8)

Third Party Advisory http://www.debian.org/security/2017/dsa-3878
Mailing List http://www.openwall.com/lists/oss-security/2017/02/14/3
Third Party Advisory http://www.securityfocus.com/bid/96268
Exploit https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__...
Third Party Advisory http://www.debian.org/security/2017/dsa-3878
Mailing List http://www.openwall.com/lists/oss-security/2017/02/14/3
Third Party Advisory http://www.securityfocus.com/bid/96268
Exploit https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__...
35
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 15/34 · Moderate