7-Zip NTFS Handler Vulnerable to Out-of-Bounds Read Attack
CVE-2023-52169

8.2HIGH

Key Information:

Vendor

7-Zip
Status
7-Zip
Vendor
CVE Published:
3 July 2024

What is CVE-2023-52169?

The 7-Zip software, specifically its NTFS handler, is susceptible to an out-of-bounds read vulnerability that enables attackers to read data beyond the intended memory buffer. This issue arises from how the application processes filenames in file system images and poses a threat in environments where untrusted users can upload files for extraction using a server-side 7-Zip process. If exploited, this vulnerability may lead to unauthorized access to sensitive data hidden within filenames.

References

https://sourceforge.net/p/sevenzip/bugs/2402/
https://www.openwall.com/lists/oss-security/2024/07/03/10
http://www.openwall.com/lists/oss-security/2024/07/03/10
mailing-list

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.
CVE-2023-52169 : 7-Zip NTFS Handler Vulnerable to Out-of-Bounds Read Attack