Lucene search

[email protected]NVD:CVE-2023-45678

HistoryOct 21, 2023 - 12:15 a.m.

CVE-2023-45678

2023-10-2100:15:09

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-45678

stb_vorbis

buffer write

code execution

mit licensed

ogg vorbis

crafted file

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of buffer write in start_decoder because at maximum m->submaps can be 16 but submap_floor and submap_residue are declared as arrays of 15 elements. This issue may lead to code execution.

Affected configurations

Nvd

Node

nothingsstb_vorbis.cMatch1.22

VendorProductVersionCPE
nothingsstb_vorbis.c1.22cpe:2.3:a:nothings:stb_vorbis.c:1.22:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nothings	stb_vorbis.c	1.22	cpe:2.3:a:nothings:stb_vorbis.c:1.22:::::::*

References

github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4074-L4079

github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L753-L760

securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Related for NVD:CVE-2023-45678

cve1 veracode1 ubuntucve1 debiancve1 vulnrichment1 prion1 cvelist1