A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality.
Find out more about CVE-2017-2885 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the libsoup packages as shipped with Red Hat Enterprise Linux 7. However, these packages have been compiled with additional security mitigation techniques ("stack smashing protection"), which makes exploitation significantly harder. Thus, in most cases an exploitation attempt should be mitigated to a mere crash. However, successful exploitation to execute arbitrary code can't be ruled out entirely.
| CVSS3 Base Score | 7.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | Low |
| Availability Impact | Low |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (libsoup) | RHSA-2017:2459 | 2017-08-10 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | libsoup | Not affected |
| Red Hat Enterprise Linux 5 | libsoup | Not affected |
Vulmon