CVE-2021-36159

2021-08-0314:15:08

Google

osv.dev

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

6.6 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.004 Low

EPSS

Percentile

73.1%

JSON

libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the ‘\0’ terminator one byte too late.

CPENameOperatorVersion
apk-toolseq2.2.4-r0
apk-toolseq2.8.0-r1
apk-toolseq2.10.5-r0
apk-toolseq2.3.3-r1
apk-toolseq2.0_pre11-r1
apk-toolseq2.7.0-r1
apk-toolseq2.0_rc7-r0
apk-toolseq2.2.0-r0
apk-toolseq2.6.6-r1
apk-toolseq2.0_pre11-r0

Name	Operator	Version
apk-tools	eq	2.2.4-r0
apk-tools	eq	2.8.0-r1
apk-tools	eq	2.10.5-r0
apk-tools	eq	2.3.3-r1
apk-tools	eq	2.0_pre11-r1
apk-tools	eq	2.7.0-r1
apk-tools	eq	2.0_rc7-r0
apk-tools	eq	2.2.0-r0
apk-tools	eq	2.6.6-r1
apk-tools	eq	2.0_pre11-r0