5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
19.1%
Severity: Medium
Date : 2020-11-26
CVE-ID : CVE-2020-28928
Package : musl
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-1287
The package musl before version 1.2.1-2 is vulnerable to arbitrary code
execution.
Upgrade to 1.2.1-2.
The problem has been fixed upstream but no release is available yet.
None.
The wcsnrtombs function in all musl libc versions up to 1.2.1 has been
found to have multiple bugs in the handling of the destination buffer
size when limiting the input character count, which can lead to an
infinite loop with no progress (no overflow) or to writing past the end
of the destination buffer.
An attacker might be able to execute arbitrary code via crafted input
content.
https://bugs.archlinux.org/task/68685
https://www.openwall.com/lists/musl/2020/11/19/1
https://git.musl-libc.org/cgit/musl/commit/?id=3ab2a4e02682df1382955071919d8aa3c3ec40d4
https://security.archlinux.org/CVE-2020-28928
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
19.1%