Format String Vulnerability in UDisks 2.8.0 by The UDisks Project
CVE-2018-17336

7.8HIGH

Key Information:

Vendor

Freedesktop

Status
Udisks
Vendor
CVE Published:
22 September 2018
đź”” Create Freedesktop Vulnerability Alert

What is CVE-2018-17336?

UDisks 2.8.0 contains a format string vulnerability in the udisks_log function, which is found in the udiskslogging.c file. This vulnerability allows attackers to potentially exploit malformed filesystem labels, leading to the exposure of sensitive stack information, causing denial of service due to memory corruption, or possibly resulting in other undisclosed impacts. The issue can be triggered by data formatted with specific substrings like %d or %n.

References

https://github.com/storaged-project/udisks/issues/578
x_refsource_MISC
https://usn.ubuntu.com/3772-1/
vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2019:2178
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.