CVE-2023-24809

2023-02-1720:15:12

Google

osv.dev

nethack

buffer overflow

security issue

version 3.6.7

suid

sgid

shared systems

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

NetHack is a single player dungeon exploration game. Starting with version 3.6.2 and prior to version 3.6.7, illegal input to the “C” (call) command can cause a buffer overflow and crash the NetHack process. This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash. This issue is resolved in NetHack 3.6.7. There are no known workarounds.

CPENameOperatorVersion
nethackeqNetHack-3.6.3.wip.2019.10.29
nethackeqNetHack-3.6.2_Released
nethackeqNetHack-3.6.6_PostRelease
nethackeqNetHack-3.6.3_WIP
nethackeq3.6.3.wip.2019.10.29
nethackeqNetHack-3.6.3_Released
nethackeqNetHack-3.6.2_Release
nethackeqNetHack-3.6.3.wip.2019.11.04
nethackeqNetHack-3.6.3.beta1.2019.11.17
nethackeqNetHack-3.6.5_PostRelease

Name	Operator	Version
nethack	eq	NetHack-3.6.3.wip.2019.10.29
nethack	eq	NetHack-3.6.2_Released
nethack	eq	NetHack-3.6.6_PostRelease
nethack	eq	NetHack-3.6.3_WIP
nethack	eq	3.6.3.wip.2019.10.29
nethack	eq	NetHack-3.6.3_Released
nethack	eq	NetHack-3.6.2_Release
nethack	eq	NetHack-3.6.3.wip.2019.11.04
nethack	eq	NetHack-3.6.3.beta1.2019.11.17
nethack	eq	NetHack-3.6.5_PostRelease