CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
35.9%
The ClamAV project reports:
CVE-2024-20290
A vulnerability in the OLE2 file format parser of ClamAV
could allow an unauthenticated, remote attacker to cause
a denial of service (DoS) condition on an affected
device. This vulnerability is due to an incorrect check
for end-of-string values during scanning, which may
result in a heap buffer over-read. An attacker could
exploit this vulnerability by submitting a crafted file
containing OLE2 content to be scanned by ClamAV on an
affected device. A successful exploit could allow the
attacker to cause the ClamAV scanning process to
terminate, resulting in a DoS condition on the affected
software and consuming available system resources.
CVE-2024-20328
Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD
service. To fix this issue, we disabled the '%f' format
string parameter. ClamD administrators may continue to
use the `CLAM_VIRUSEVENT_FILENAME` environment variable,
instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly
in the clamd.conf "VirusEvent" command.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
35.9%