Memory Corruption Vulnerability in ncurses Affects Local Users
CVE-2023-29491

7.8HIGH

Key Information:

Vendor
Gnu
Status
Ncurses
Vendor
CVE Published:
14 April 2023

Badges

πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

Summary

ncurses versions prior to 6.4 20230408 exhibit a vulnerability that permits local users of setuid applications to induce memory corruption. This occurs through the utilization of malformed data within a terminfo database file located in the user's home directory or accessed via environment variables like TERMINFO or TERM. This security flaw underscores the importance of maintaining updated ncurses installations to mitigate potential risks.

News Articles

favicon imageMicrosoft

Uncursing the ncurses: Memory corruption vulnerabilities found in library | Microsoft Security Blog

A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions.

1 year ago

favicon imageDark Reading

Microsoft Flushes Out 'Ncurses' Gremlins

The maintainers of the widely used library recently patched multiple memory corruption vulnerabilities that attackers could have abused to, ahem, curse targets with malicious code and escalate privileges.

1 year ago

References

https://www.openwall.com/lists/oss-security/2023/04/13/4
http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%...
https://www.openwall.com/lists/oss-security/2023/04/12/5

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by Dark Reading

  • Vulnerability published

  • Vulnerability Reserved

.