9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.16 Low
EPSS
Percentile
95.9%
Severity: Medium
Date : 2020-03-07
CVE-ID : CVE-2020-8597
Package : ppp
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1101
The package ppp before version 2.4.7-7 is vulnerable to arbitrary code
execution.
Upgrade to 2.4.7-7.
The problem has been fixed upstream but no release is available yet.
None.
A buffer overflow flaw was found in the ppp package in versions 2.4.2
through 2.4.8. The bounds check for the rhostname was improperly
constructed in the EAP request and response functions which could allow
a buffer overflow to occur. Data confidentiality and integrity, as well
as system availability, are all at risk with this vulnerability.
A remote unauthenticated user can crash or possibly execute code on the
host by sending malicious authentication data.
https://lists.debian.org/debian-lts-announce/2020/02/msg00005.html
https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
https://seclists.org/fulldisclosure/2020/Mar/6
https://security.archlinux.org/CVE-2020-8597
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.16 Low
EPSS
Percentile
95.9%