CVE-2023-29491

7.8HIGH

Key Information

Vendor: Gnu
Status: Ncurses
Vendor: CVE Published:; 14 April 2023

Badges

👾 Exploit Exists📰 News Worthy

Summary

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

News Articles

Microsoft

CVE-2023-29491CVE-2023-22809

Uncursing the ncurses: Memory corruption vulnerabilities found in library | Microsoft Security Blog

A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions.

1 year ago

Dark Reading

CVE-2023-29491

Microsoft Flushes Out 'Ncurses' Gremlins

The maintainers of the widely used library recently patched multiple memory corruption vulnerabilities that attackers could have abused to, ahem, curse targets with malicious code and escalate privileges.

1 year ago

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Nov 28, 2024
First article discovered by Dark Reading
Sep 15, 2023
Vulnerability published.
Apr 14, 2023
Vulnerability Reserved.
Apr 7, 2023

Collectors

NVD DatabaseMitre Database2 News Article(s)