Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2023-25139

Published: 03/02/2023 Updated: 02/03/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Glibc

Vulnerability Summary

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gnu glibc 2.37

Vendor Advisories

Red Hat:
Description<!---->A vulnerability was found in glibc When the printf family of functions is called with a format specifier that uses an apostrophe (enable grouping) and a minimum width specifier, the resulting output could be larger than reasonably expected by a caller that computed a tight bound on the buffer size The resulting larger-than-expec ...
Arch Linux Issues:
buffer overflow in sprintf(3) due to a regression where after the refactor the implementation does not account for grouping characters during padding of the width ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

Github Repositories

https://github.com/ortelius/ortelius-ms-dep-pkg-r

Dependency Package Data Microservice - Read

ortelius-ms-dep-pkg-r Dependency Package Data Microservice - Read This is a flask web application which returns a list of objects known as Component Dependencies when the endpoint /msapi/deppkg is accessed Setup Clone the repository on your local computer Start Postgres The project requires a Postgres server to be running This can be done by either installing Postgre

https://github.com/ortelius/ms-dep-pkg-cud

Dependency Package Data Microservice - Create, Update and Delete

ortelius-ms-dep-pkg-cud Dependency Package Data Microservice - Create, Update and Delete HELM_CHART port:8080 package name : deppkg postgress test database docker image Pull and run the above image Create Table Componentdep SQL Query Microservice url: localhost:5000/msapi/deppkg methods: POST sample call: curl -X POST - -H "Content-Type: application/json"

https://github.com/ortelius/ms-dep-pkg-r

Dependency Package Data Microservice - Read

ortelius-ms-dep-pkg-r Dependency Package Data Microservice - Read This is a flask web application which returns a list of objects known as Component Dependencies when the endpoint /msapi/deppkg is accessed Setup Clone the repository on your local computer Start Postgres The project requires a Postgres server to be running This can be done by either installing Postgre

https://github.com/ortelius/ms-textfile-crud

Microservice for uploading Readme, SBOM, License File, Swagger and other DevOps and Supply Chain Intelligence.

ortelius-ms-textfile-crud Fixed CVEs 2/27/23 - CVE-2023-25139 3/28/23 - CVE-2023-0464

https://github.com/ortelius/ms-compitem-crud

Microservice to upload attributes gathered from the CI/CD Pipeline such as Key Value pairs.

ortelius-ms-compitem-crud Component Details Microservice - CRUD API LIST Three types of APIs are supported at the moment Add list of component item curl localhost:5000/msapi/compitem?comp_id=255 Returns: [{"id": 361, "compid": 255, "buildid": "", "buildurl": "", "dock

https://github.com/ortelius/ms-sbom-export

ortelius-ms-sbom-export Dependency Package Data Microservice - Read This is a flask web application which returns a list of objects known as Component Dependencies when the endpoint /msapi/deppkg is accessed Setup Clone the repository on your local computer Start Postgres The project requires a Postgres server to be running This can be done by either installing Postg

https://github.com/ortelius/ortelius-ms-scorecard

Microservice for viewing DORA metrics.

ortelius-ms-scorecard Fixed CVEs 2/27/23 - CVE-2023-25139

https://github.com/ortelius/ms-scorecard

Microservice for viewing DORA metrics.

ortelius-ms-scorecard Fixed CVEs 2/27/23 - CVE-2023-25139

References

CWE-787https://sourceware.org/bugzilla/show_bug.cgi?id=30068http://www.openwall.com/lists/oss-security/2023/02/10/1https://security.netapp.com/advisory/ntap-20230302-0010/https://nvd.nist.govhttps://github.com/ortelius/ortelius-ms-dep-pkg-rhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10https://access.redhat.com/security/cve/cve-2023-25139
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook