Lucene search

MitreCVE-2017-1000376

HistoryJun 19, 2017 - 4:29 p.m.

CVE-2017-1000376

2017-06-1916:29:00

CWE-119

mitre

web.nvd.nist.gov

165

libffi

cve-2017-1000376

security

vulnerability

code execution

stack overflow

nvd

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

Affected configurations

Nvd

Node

redhatenterprise_virtualization_serverMatch-

redhatopenshiftMatch2.0

redhatenterprise_linuxMatch6.0

redhatenterprise_linuxMatch7.0

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

libffi_projectlibffiRange<3.2

Node

oraclepeopletoolsMatch8.56

oraclepeopletoolsMatch8.57

VendorProductVersionCPE
redhatenterprise_virtualization_server-cpe:2.3:a:redhat:enterprise_virtualization_server:-:*:*:*:*:*:*:*
redhatopenshift2.0cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
redhatenterprise_linux6.0cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
redhatenterprise_linux7.0cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
libffi_projectlibffi*cpe:2.3:a:libffi_project:libffi:*:*:*:*:*:*:*:*
oraclepeopletools8.56cpe:2.3:a:oracle:peopletools:8.56:*:*:*:*:*:*:*
oraclepeopletools8.57cpe:2.3:a:oracle:peopletools:8.57:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	enterprise_virtualization_server	-	cpe:2.3:a:redhat:enterprise_virtualization_server:-:::::::*
redhat	openshift	2.0	cpe:2.3:a:redhat:openshift:2.0:::::::*
redhat	enterprise_linux	6.0	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*
libffi_project	libffi	*	cpe:2.3:a:libffi_project:libffi::::::::
oracle	peopletools	8.56	cpe:2.3:a:oracle:peopletools:8.56:::::::*
oracle	peopletools	8.57	cpe:2.3:a:oracle:peopletools:8.57:::::::*