← voltar
CVE-2023-4806

Glibc: potential use-after-free in getaddrinfo()

CVSS 5.9 MEDIUMEPSS 1.4%CWE-416
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.9EPSS 1.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
18 set 2023Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Produtos afetados
Red Hat · Red Hat Enterprise Linux 6Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 8.6 Extended Update SupportRed Hat · Red Hat Enterprise Linux 9Red Hat · Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://access.redhat.com/errata/RHBA-2024:2413https://access.redhat.com/errata/RHSA-2023:5453https://access.redhat.com/errata/RHSA-2023:5455https://access.redhat.com/errata/RHSA-2023:7409https://access.redhat.com/security/cve/CVE-2023-4806https://bugzilla.redhat.com/show_bug.cgi?id=2237782https://cert-portal.siemens.com/productcert/html/ssa-082556.htmlhttps://cert-portal.siemens.com/productcert/html/ssa-831302.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/https://security.gentoo.org/glsa/202310-03