CVE-2017-6802

moderate-risk

Published 2017-03-10

An issue was discovered in ytnef before 1.9.2. There is a potential heap-based buffer over-read on incoming Compressed RTF Streams, related to DecompressRTF() in libytnef.

Do I need to act?

0.80% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Debian Linux

Ytnef

Affected Vendors

Ytnef Project Debian

References (8)

Third Party Advisory http://www.debian.org/security/2017/dsa-3846

Patch https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc

Issue Tracking https://github.com/Yeraze/ytnef/issues/34

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory http://www.debian.org/security/2017/dsa-3846

Patch https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc

Issue Tracking https://github.com/Yeraze/ytnef/issues/34

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 9/34 · Low