CVE-2007-2054 - Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbi

CVE-2007-2054

Summary

Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls in (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/aimage.cpp, (f) aimage/imager.cpp, and (g) tools/afxml.cpp. NOTE: the aimage.cpp vector (e) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB. The vendor has addressed this issue through the following product update: http://www.afflib.org/downloads/

References

Vulnerable Configurations

cpe:2.3:a:afflib:afflib:*:*:*:*:*:*:*:*
cpe:2.3:a:afflib:afflib:*:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 16-10-2018 - 16:41)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20070427 AFFLIB(TM): Multiple Format String Injections
misc	http://www.vsecurity.com/bulletins/advisories/2007/afflib-fmtstr.txt
sreason	2657
xf	afflib-multiple-format-string(33969)

Last major update

16-10-2018 - 16:41

Published

30-04-2007 - 22:19

Last modified

16-10-2018 - 16:41