CVE-2023-6246 Information

Description

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called or called with the ident argument set to NULL and the program name (the basename of argv[0]) is bigger than 1024 bytes resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://access.redhat.com/security/cve/CVE-2023-6246 https://bugzilla.redhat.com/show_bug.cgi?id=2249053 https://www.openwall.com/lists/oss-security/2024/01/30/6 http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8