Memory Corruption Vulnerability in ncurses Affects Local Users
CVE-2023-29491

7.8HIGH

Key Information:

Vendor: Gnu
Status: Ncurses
Vendor: CVE Published:; 14 April 2023

Badges

👾 Exploit Exists📰 News Worthy

Summary

ncurses versions prior to 6.4 20230408 exhibit a vulnerability that permits local users of setuid applications to induce memory corruption. This occurs through the utilization of malformed data within a terminfo database file located in the user's home directory or accessed via environment variables like TERMINFO or TERM. This security flaw underscores the importance of maintaining updated ncurses installations to mitigate potential risks.

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

Microsoft

CVE-2023-29491 CVE-2023-22809

Uncursing the ncurses: Memory corruption vulnerabilities found in library | Microsoft Security Blog

A set of memory corruption vulnerabilities in the ncurses library could have allowed attackers to chain the vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions.

Dark Reading

CVE-2023-29491

Microsoft Flushes Out 'Ncurses' Gremlins

The maintainers of the widely used library recently patched multiple memory corruption vulnerabilities that attackers could have abused to, ahem, curse targets with malicious code and escalate privileges.

References

https://www.openwall.com/lists/oss-security/2023/04/13/4

http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%...

https://www.openwall.com/lists/oss-security/2023/04/12/5

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit known to exist
Oct 12, 2023
📰
First article discovered by Dark Reading
Sep 15, 2023
Vulnerability published
Apr 14, 2023
Vulnerability Reserved
Apr 7, 2023