CVE-2023-3603
low-risk
Published 2023-07-21
A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued.
Do I need to act?
-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (4)
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-3603
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2221791
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-3603
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2221791
17
/ 100
low-risk
Severity
11/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal