CVE-2023-6779 — HIGH (8.2) — White Hats Nepal

Q: How severe is CVE-2023-6779?

CVE-2023-6779 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-6779?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Fedoraproject Fedora.

Vulnerability Description

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gnu	Glibc	>= 2.37, < 2.39
Fedoraproject	Fedora	38

Related Weaknesses (CWE)

CWE-122 CWE-787

References

http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-OverfExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2024/Feb/3ExploitMailing ListThird Party Advisory
https://access.redhat.com/security/cve/CVE-2023-6779Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254395Issue Tracking
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.gentoo.org/glsa/202402-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20240223-0006/Third Party Advisory
https://www.openwall.com/lists/oss-security/2024/01/30/6ExploitMailing List
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txtThird Party Advisory
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-OverfExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2024/Feb/3ExploitMailing ListThird Party Advisory
https://access.redhat.com/security/cve/CVE-2023-6779Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254395Issue Tracking
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List

FAQ

What is CVE-2023-6779?

CVE-2023-6779 is a vulnerability with a CVSS score of 8.2 (HIGH). An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these fu...

How severe is CVE-2023-6779?

CVE-2023-6779 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-6779?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Fedoraproject Fedora.