CWE-134
Use of Externally-Controlled Format String
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
CVE-2012-10055 (GCVE-0-2012-10055)
Vulnerability from cvelistv5
Published
2025-08-13 20:33
Modified
2025-08-14 13:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Summary
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ComSndFTP | FTP Server |
Version: 1.3.7 Beta |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2012-10055",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:49:56.063256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T13:49:59.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/19024"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/19177"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Format string parsing in FTP login handler"
],
"product": "FTP Server",
"vendor": "ComSndFTP",
"versions": [
{
"status": "affected",
"version": "1.3.7 Beta"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ChaoYi Huang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations."
}
],
"value": "ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations."
}
],
"impacts": [
{
"capecId": "CAPEC-135",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-135 Format String Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T20:33:06.598Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/19024"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/19177"
},
{
"tags": [
"product"
],
"url": "https://web.archive.org/web/20120317214524/http://ftp.comsnd.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/comsndftp-user-format-string-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "ComSndFTP v1.3.7 Beta USER Format String RCE",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2012-10055",
"datePublished": "2025-08-13T20:33:06.598Z",
"dateReserved": "2025-08-11T18:15:05.776Z",
"dateUpdated": "2025-08-14T13:49:59.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-10088 (GCVE-0-2015-10088)
Vulnerability from cvelistv5
Published
2023-03-05 05:00
Modified
2024-08-06 08:58
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
5.0 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Format String
Summary
A vulnerability, which was classified as critical, was found in ayttm up to 0.5.0.89. This affects the function http_connect in the library libproxy/proxy.c. The manipulation leads to format string. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 40e04680018614a7d2b68566b261b061a0597046. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222267.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | ayttm |
Version: 0.5.0.0 Version: 0.5.0.1 Version: 0.5.0.2 Version: 0.5.0.3 Version: 0.5.0.4 Version: 0.5.0.5 Version: 0.5.0.6 Version: 0.5.0.7 Version: 0.5.0.8 Version: 0.5.0.9 Version: 0.5.0.10 Version: 0.5.0.11 Version: 0.5.0.12 Version: 0.5.0.13 Version: 0.5.0.14 Version: 0.5.0.15 Version: 0.5.0.16 Version: 0.5.0.17 Version: 0.5.0.18 Version: 0.5.0.19 Version: 0.5.0.20 Version: 0.5.0.21 Version: 0.5.0.22 Version: 0.5.0.23 Version: 0.5.0.24 Version: 0.5.0.25 Version: 0.5.0.26 Version: 0.5.0.27 Version: 0.5.0.28 Version: 0.5.0.29 Version: 0.5.0.30 Version: 0.5.0.31 Version: 0.5.0.32 Version: 0.5.0.33 Version: 0.5.0.34 Version: 0.5.0.35 Version: 0.5.0.36 Version: 0.5.0.37 Version: 0.5.0.38 Version: 0.5.0.39 Version: 0.5.0.40 Version: 0.5.0.41 Version: 0.5.0.42 Version: 0.5.0.43 Version: 0.5.0.44 Version: 0.5.0.45 Version: 0.5.0.46 Version: 0.5.0.47 Version: 0.5.0.48 Version: 0.5.0.49 Version: 0.5.0.50 Version: 0.5.0.51 Version: 0.5.0.52 Version: 0.5.0.53 Version: 0.5.0.54 Version: 0.5.0.55 Version: 0.5.0.56 Version: 0.5.0.57 Version: 0.5.0.58 Version: 0.5.0.59 Version: 0.5.0.60 Version: 0.5.0.61 Version: 0.5.0.62 Version: 0.5.0.63 Version: 0.5.0.64 Version: 0.5.0.65 Version: 0.5.0.66 Version: 0.5.0.67 Version: 0.5.0.68 Version: 0.5.0.69 Version: 0.5.0.70 Version: 0.5.0.71 Version: 0.5.0.72 Version: 0.5.0.73 Version: 0.5.0.74 Version: 0.5.0.75 Version: 0.5.0.76 Version: 0.5.0.77 Version: 0.5.0.78 Version: 0.5.0.79 Version: 0.5.0.80 Version: 0.5.0.81 Version: 0.5.0.82 Version: 0.5.0.83 Version: 0.5.0.84 Version: 0.5.0.85 Version: 0.5.0.86 Version: 0.5.0.87 Version: 0.5.0.88 Version: 0.5.0.89 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.222267"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.222267"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://sourceforge.net/p/ayttm/mailman/message/34397158/"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/ayttm/ayttm/commit/40e04680018614a7d2b68566b261b061a0597046"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ayttm",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.5.0.0"
},
{
"status": "affected",
"version": "0.5.0.1"
},
{
"status": "affected",
"version": "0.5.0.2"
},
{
"status": "affected",
"version": "0.5.0.3"
},
{
"status": "affected",
"version": "0.5.0.4"
},
{
"status": "affected",
"version": "0.5.0.5"
},
{
"status": "affected",
"version": "0.5.0.6"
},
{
"status": "affected",
"version": "0.5.0.7"
},
{
"status": "affected",
"version": "0.5.0.8"
},
{
"status": "affected",
"version": "0.5.0.9"
},
{
"status": "affected",
"version": "0.5.0.10"
},
{
"status": "affected",
"version": "0.5.0.11"
},
{
"status": "affected",
"version": "0.5.0.12"
},
{
"status": "affected",
"version": "0.5.0.13"
},
{
"status": "affected",
"version": "0.5.0.14"
},
{
"status": "affected",
"version": "0.5.0.15"
},
{
"status": "affected",
"version": "0.5.0.16"
},
{
"status": "affected",
"version": "0.5.0.17"
},
{
"status": "affected",
"version": "0.5.0.18"
},
{
"status": "affected",
"version": "0.5.0.19"
},
{
"status": "affected",
"version": "0.5.0.20"
},
{
"status": "affected",
"version": "0.5.0.21"
},
{
"status": "affected",
"version": "0.5.0.22"
},
{
"status": "affected",
"version": "0.5.0.23"
},
{
"status": "affected",
"version": "0.5.0.24"
},
{
"status": "affected",
"version": "0.5.0.25"
},
{
"status": "affected",
"version": "0.5.0.26"
},
{
"status": "affected",
"version": "0.5.0.27"
},
{
"status": "affected",
"version": "0.5.0.28"
},
{
"status": "affected",
"version": "0.5.0.29"
},
{
"status": "affected",
"version": "0.5.0.30"
},
{
"status": "affected",
"version": "0.5.0.31"
},
{
"status": "affected",
"version": "0.5.0.32"
},
{
"status": "affected",
"version": "0.5.0.33"
},
{
"status": "affected",
"version": "0.5.0.34"
},
{
"status": "affected",
"version": "0.5.0.35"
},
{
"status": "affected",
"version": "0.5.0.36"
},
{
"status": "affected",
"version": "0.5.0.37"
},
{
"status": "affected",
"version": "0.5.0.38"
},
{
"status": "affected",
"version": "0.5.0.39"
},
{
"status": "affected",
"version": "0.5.0.40"
},
{
"status": "affected",
"version": "0.5.0.41"
},
{
"status": "affected",
"version": "0.5.0.42"
},
{
"status": "affected",
"version": "0.5.0.43"
},
{
"status": "affected",
"version": "0.5.0.44"
},
{
"status": "affected",
"version": "0.5.0.45"
},
{
"status": "affected",
"version": "0.5.0.46"
},
{
"status": "affected",
"version": "0.5.0.47"
},
{
"status": "affected",
"version": "0.5.0.48"
},
{
"status": "affected",
"version": "0.5.0.49"
},
{
"status": "affected",
"version": "0.5.0.50"
},
{
"status": "affected",
"version": "0.5.0.51"
},
{
"status": "affected",
"version": "0.5.0.52"
},
{
"status": "affected",
"version": "0.5.0.53"
},
{
"status": "affected",
"version": "0.5.0.54"
},
{
"status": "affected",
"version": "0.5.0.55"
},
{
"status": "affected",
"version": "0.5.0.56"
},
{
"status": "affected",
"version": "0.5.0.57"
},
{
"status": "affected",
"version": "0.5.0.58"
},
{
"status": "affected",
"version": "0.5.0.59"
},
{
"status": "affected",
"version": "0.5.0.60"
},
{
"status": "affected",
"version": "0.5.0.61"
},
{
"status": "affected",
"version": "0.5.0.62"
},
{
"status": "affected",
"version": "0.5.0.63"
},
{
"status": "affected",
"version": "0.5.0.64"
},
{
"status": "affected",
"version": "0.5.0.65"
},
{
"status": "affected",
"version": "0.5.0.66"
},
{
"status": "affected",
"version": "0.5.0.67"
},
{
"status": "affected",
"version": "0.5.0.68"
},
{
"status": "affected",
"version": "0.5.0.69"
},
{
"status": "affected",
"version": "0.5.0.70"
},
{
"status": "affected",
"version": "0.5.0.71"
},
{
"status": "affected",
"version": "0.5.0.72"
},
{
"status": "affected",
"version": "0.5.0.73"
},
{
"status": "affected",
"version": "0.5.0.74"
},
{
"status": "affected",
"version": "0.5.0.75"
},
{
"status": "affected",
"version": "0.5.0.76"
},
{
"status": "affected",
"version": "0.5.0.77"
},
{
"status": "affected",
"version": "0.5.0.78"
},
{
"status": "affected",
"version": "0.5.0.79"
},
{
"status": "affected",
"version": "0.5.0.80"
},
{
"status": "affected",
"version": "0.5.0.81"
},
{
"status": "affected",
"version": "0.5.0.82"
},
{
"status": "affected",
"version": "0.5.0.83"
},
{
"status": "affected",
"version": "0.5.0.84"
},
{
"status": "affected",
"version": "0.5.0.85"
},
{
"status": "affected",
"version": "0.5.0.86"
},
{
"status": "affected",
"version": "0.5.0.87"
},
{
"status": "affected",
"version": "0.5.0.88"
},
{
"status": "affected",
"version": "0.5.0.89"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in ayttm up to 0.5.0.89. This affects the function http_connect in the library libproxy/proxy.c. The manipulation leads to format string. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 40e04680018614a7d2b68566b261b061a0597046. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222267."
},
{
"lang": "de",
"value": "Es wurde eine kritische Schwachstelle in ayttm bis 0.5.0.89 gefunden. Es geht dabei um die Funktion http_connect in der Bibliothek libproxy/proxy.c. Dank Manipulation mit unbekannten Daten kann eine format string-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Patch wird als 40e04680018614a7d2b68566b261b061a0597046 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.6,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T09:06:11.995Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.222267"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.222267"
},
{
"tags": [
"related"
],
"url": "https://sourceforge.net/p/ayttm/mailman/message/34397158/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ayttm/ayttm/commit/40e04680018614a7d2b68566b261b061a0597046"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-03-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-03-03T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-03-03T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-03-31T08:31:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "ayttm proxy.c http_connect format string"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2015-10088",
"datePublished": "2023-03-05T05:00:05.655Z",
"dateReserved": "2023-03-03T08:03:38.826Z",
"dateUpdated": "2024-08-06T08:58:26.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0898 (GCVE-0-2017-0898)
Vulnerability from cvelistv5
Published
2017-09-15 19:00
Modified
2024-09-17 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Format String Vulnerability ()
Summary
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3685-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3685-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/212241"
},
{
"name": "RHSA-2018:0585",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0585"
},
{
"name": "RHSA-2018:0378",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0378"
},
{
"name": "DSA-4031",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-4031"
},
{
"name": "100862",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100862"
},
{
"name": "1039363",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039363"
},
{
"name": "RHSA-2017:3485",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3485"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "RHSA-2018:0583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0583"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mruby/mruby/issues/3722"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
},
{
"name": "GLSA-201710-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-18"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Ruby",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "Versions before 2.4.2, 2.3.5, and 2.2.8"
}
]
}
],
"datePublic": "2017-09-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Format String Vulnerability (CWE-134)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-14T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"name": "USN-3685-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3685-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/212241"
},
{
"name": "RHSA-2018:0585",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0585"
},
{
"name": "RHSA-2018:0378",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0378"
},
{
"name": "DSA-4031",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-4031"
},
{
"name": "100862",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100862"
},
{
"name": "1039363",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039363"
},
{
"name": "RHSA-2017:3485",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3485"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "RHSA-2018:0583",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0583"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mruby/mruby/issues/3722"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
},
{
"name": "GLSA-201710-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-18"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2017-09-15T00:00:00",
"ID": "CVE-2017-0898",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ruby",
"version": {
"version_data": [
{
"version_value": "Versions before 2.4.2, 2.3.5, and 2.2.8"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Format String Vulnerability (CWE-134)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3685-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3685-1/"
},
{
"name": "https://hackerone.com/reports/212241",
"refsource": "MISC",
"url": "https://hackerone.com/reports/212241"
},
{
"name": "RHSA-2018:0585",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0585"
},
{
"name": "RHSA-2018:0378",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0378"
},
{
"name": "DSA-4031",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-4031"
},
{
"name": "100862",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100862"
},
{
"name": "1039363",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039363"
},
{
"name": "RHSA-2017:3485",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3485"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "RHSA-2018:0583",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0583"
},
{
"name": "https://github.com/mruby/mruby/issues/3722",
"refsource": "MISC",
"url": "https://github.com/mruby/mruby/issues/3722"
},
{
"name": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/",
"refsource": "MISC",
"url": "https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/"
},
{
"name": "GLSA-201710-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-18"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0898",
"datePublished": "2017-09-15T19:00:00Z",
"dateReserved": "2016-11-30T00:00:00",
"dateUpdated": "2024-09-17T01:36:46.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12702 (GCVE-0-2017-12702)
Vulnerability from cvelistv5
Published
2017-08-30 18:00
Modified
2024-08-05 18:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Advantech WebAccess |
Version: Advantech WebAccess |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02"
},
{
"name": "100526",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100526"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Advantech WebAccess",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Advantech WebAccess"
}
]
}
],
"datePublic": "2017-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-31T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02"
},
{
"name": "100526",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100526"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-12702",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Advantech WebAccess",
"version": {
"version_data": [
{
"version_value": "Advantech WebAccess"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-134"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02"
},
{
"name": "100526",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100526"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-12702",
"datePublished": "2017-08-30T18:00:00",
"dateReserved": "2017-08-09T00:00:00",
"dateUpdated": "2024-08-05T18:43:56.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-3859 (GCVE-0-2017-3859)
Vulnerability from cvelistv5
Published
2017-03-22 19:00
Modified
2024-08-05 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Cisco IOS XE Software for Cisco ASR 920 Series Routers |
Version: Cisco IOS XE Software for Cisco ASR 920 Series Routers |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:39:41.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038104",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038104"
},
{
"name": "97008",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97008"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cisco IOS XE Software for Cisco ASR 920 Series Routers",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Cisco IOS XE Software for Cisco ASR 920 Series Routers"
}
]
}
],
"datePublic": "2017-03-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-11T09:57:01",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "1038104",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038104"
},
{
"name": "97008",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97008"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"ID": "CVE-2017-3859",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco IOS XE Software for Cisco ASR 920 Series Routers",
"version": {
"version_data": [
{
"version_value": "Cisco IOS XE Software for Cisco ASR 920 Series Routers"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the DHCP code for the Zero Touch Provisioning feature of Cisco ASR 920 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a format string vulnerability when processing a crafted DHCP packet for Zero Touch Provisioning. An attacker could exploit this vulnerability by sending a specially crafted DHCP packet to an affected device. An exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects Cisco ASR 920 Series Aggregation Services Routers that are running an affected release of Cisco IOS XE Software (3.13 through 3.18) and are listening on the DHCP server port. By default, the devices do not listen on the DHCP server port. Cisco Bug IDs: CSCuy56385."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-134"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038104",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038104"
},
{
"name": "97008",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97008"
},
{
"name": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp",
"refsource": "CONFIRM",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2017-3859",
"datePublished": "2017-03-22T19:00:00",
"dateReserved": "2016-12-21T00:00:00",
"dateUpdated": "2024-08-05T14:39:41.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7519 (GCVE-0-2017-7519)
Vulnerability from cvelistv5
Published
2018-07-27 14:00
Modified
2024-08-05 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
In Ceph, a format string flaw was found in the way libradosstriper parses input from user. A user could crash an application or service using the libradosstriper library.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99075",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99075"
},
{
"name": "DSA-4339",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4339"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7519"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ceph",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Ceph, a format string flaw was found in the way libradosstriper parses input from user. A user could crash an application or service using the libradosstriper library."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-14T10:57:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "99075",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99075"
},
{
"name": "DSA-4339",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4339"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7519"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7519",
"datePublished": "2018-07-27T14:00:00",
"dateReserved": "2017-04-05T00:00:00",
"dateUpdated": "2024-08-05T16:04:11.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13318 (GCVE-0-2019-13318)
Vulnerability from cvelistv5
Published
2019-10-04 17:37
Modified
2024-08-04 23:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Summary
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-635/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Reader",
"vendor": "Foxit",
"versions": [
{
"status": "affected",
"version": "9.5.0.20723"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "banananapenguin"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134: Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-04T17:37:01",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-635/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2019-13318",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Reader",
"version": {
"version_data": [
{
"version_value": "9.5.0.20723"
}
]
}
}
]
},
"vendor_name": "Foxit"
}
]
}
},
"credit": "banananapenguin",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Reader 9.5.0.20723. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of the util.printf Javascript method. The application processes the %p parameter in the format string, allowing heap addresses to be returned to the script. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-8544."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-134: Use of Externally-Controlled Format String"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.foxitsoftware.com/support/security-bulletins.php",
"refsource": "MISC",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-19-635/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-635/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2019-13318",
"datePublished": "2019-10-04T17:37:01",
"dateReserved": "2019-07-05T00:00:00",
"dateUpdated": "2024-08-04T23:49:24.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-6840 (GCVE-0-2019-6840)
Vulnerability from cvelistv5
Published
2019-09-17 19:19
Modified
2024-08-04 20:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Format String:
Summary
A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to send a crafted message to the target server, thereby causing arbitrary commands to be executed.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schneider Electric SE | U.motion Server |
Version: MEG6501-0001 - U.motion KNX server Version: MEG6501-0002 - U.motion KNX Server Plus Version: MEG6260-0410 - U.motion KNX Server Plus Version: Touch 10 Version: MEG6260-0415 - U.motion KNX Server Plus Version: Touch 15 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:31:04.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-253-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "U.motion Server",
"vendor": "Schneider Electric SE",
"versions": [
{
"status": "affected",
"version": "MEG6501-0001 - U.motion KNX server"
},
{
"status": "affected",
"version": "MEG6501-0002 - U.motion KNX Server Plus"
},
{
"status": "affected",
"version": "MEG6260-0410 - U.motion KNX Server Plus"
},
{
"status": "affected",
"version": "Touch 10"
},
{
"status": "affected",
"version": "MEG6260-0415 - U.motion KNX Server Plus"
},
{
"status": "affected",
"version": "Touch 15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to send a crafted message to the target server, thereby causing arbitrary commands to be executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Format String: CWE-134\u00a0",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-17T19:19:36",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-253-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2019-6840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "U.motion Server",
"version": {
"version_data": [
{
"version_value": "MEG6501-0001 - U.motion KNX server"
},
{
"version_value": "MEG6501-0002 - U.motion KNX Server Plus"
},
{
"version_value": "MEG6260-0410 - U.motion KNX Server Plus"
},
{
"version_value": "Touch 10"
},
{
"version_value": "MEG6260-0415 - U.motion KNX Server Plus"
},
{
"version_value": "Touch 15"
}
]
}
}
]
},
"vendor_name": "Schneider Electric SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6501-0001 - U.motion KNX server, MEG6501-0002 - U.motion KNX Server Plus, MEG6260-0410 - U.motion KNX Server Plus, Touch 10, MEG6260-0415 - U.motion KNX Server Plus, Touch 15), which could allow an attacker to send a crafted message to the target server, thereby causing arbitrary commands to be executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Format String: CWE-134\u00a0"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-253-01",
"refsource": "CONFIRM",
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-253-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2019-6840",
"datePublished": "2019-09-17T19:19:36",
"dateReserved": "2019-01-25T00:00:00",
"dateUpdated": "2024-08-04T20:31:04.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15634 (GCVE-0-2020-15634)
Vulnerability from cvelistv5
Published
2020-08-19 20:55
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Summary
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 routers with firmware 1.0.4.84_10.0.58. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of string table file uploads. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-9755.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-935/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.netgear.com/000062126/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R6700v3-PSV-2020-0189"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "R6700",
"vendor": "NETGEAR",
"versions": [
{
"status": "affected",
"version": "1.0.4.84_10.0.58"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "d4rkn3ss from VNPT ISC"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 routers with firmware 1.0.4.84_10.0.58. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of string table file uploads. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-9755."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134: Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-19T20:55:27",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-935/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.netgear.com/000062126/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R6700v3-PSV-2020-0189"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2020-15634",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "R6700",
"version": {
"version_data": [
{
"version_value": "1.0.4.84_10.0.58"
}
]
}
}
]
},
"vendor_name": "NETGEAR"
}
]
}
},
"credit": "d4rkn3ss from VNPT ISC",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6700 routers with firmware 1.0.4.84_10.0.58. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of string table file uploads. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-9755."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-134: Use of Externally-Controlled Format String"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-935/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-935/"
},
{
"name": "https://kb.netgear.com/000062126/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R6700v3-PSV-2020-0189",
"refsource": "MISC",
"url": "https://kb.netgear.com/000062126/Security-Advisory-for-Pre-Authentication-Command-Injection-on-R6700v3-PSV-2020-0189"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2020-15634",
"datePublished": "2020-08-19T20:55:27",
"dateReserved": "2020-07-07T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1979 (GCVE-0-2020-1979)
Vulnerability from cvelistv5
Published
2020-03-11 18:58
Modified
2024-09-17 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Summary
A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | PAN-OS |
Version: 8.1 < 8.1.13 Patch: 9.0.0 < 9.0* Patch: 7.1.0 < 7.1* Patch: 9.1.0 < 9.1* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:54:00.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2020-1979"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PAN-OS",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "8.1.13",
"status": "unaffected"
}
],
"lessThan": "8.1.13",
"status": "affected",
"version": "8.1",
"versionType": "custom"
},
{
"lessThan": "9.0*",
"status": "unaffected",
"version": "9.0.0",
"versionType": "custom"
},
{
"lessThan": "7.1*",
"status": "unaffected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "9.1*",
"status": "unaffected",
"version": "9.1.0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "N/A"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Nicholas Newsom of Palo Alto Networks during an internal security review."
}
],
"datePublic": "2020-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134 Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-13T19:07:13",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.paloaltonetworks.com/CVE-2020-1979"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.13 and all later PAN-OS 8.1 versions."
}
],
"source": {
"defect": [
"PAN-97584"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2020-03-11T00:00:00",
"value": "Initial publication"
},
{
"lang": "en",
"time": "2020-05-12T00:00:00",
"value": "Updated attack vector, description and acknowledgement."
}
],
"title": "PAN-OS: A format string vulnerability in PAN-OS log daemon (logd) on Panorama allows local privilege escalation",
"workarounds": [
{
"lang": "en",
"value": "This issue affects the management interface of Panorama and is mitigated by following best practices for securing the Panorama management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@paloaltonetworks.com",
"DATE_PUBLIC": "2020-03-11T16:00:00.000Z",
"ID": "CVE-2020-1979",
"STATE": "PUBLIC",
"TITLE": "PAN-OS: A format string vulnerability in PAN-OS log daemon (logd) on Panorama allows local privilege escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PAN-OS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.1",
"version_value": "8.1.13"
},
{
"version_affected": "!\u003e=",
"version_name": "8.1",
"version_value": "8.1.13"
},
{
"version_affected": "!\u003e=",
"version_name": "9.0",
"version_value": "9.0.0"
},
{
"version_affected": "!\u003e=",
"version_name": "7.1",
"version_value": "7.1.0"
},
{
"version_affected": "!\u003e=",
"version_name": "9.1",
"version_value": "9.1.0"
}
]
}
}
]
},
"vendor_name": "Palo Alto Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "N/A"
}
],
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Nicholas Newsom of Palo Alto Networks during an internal security review."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A format string vulnerability in the PAN-OS log daemon (logd) on Panorama allows a network based attacker with knowledge of registered firewall devices and access to Panorama management interfaces to execute arbitrary code, bypassing the restricted shell and escalating privileges. This issue affects only PAN-OS 8.1 versions earlier than PAN-OS 8.1.13 on Panorama. This issue does not affect PAN-OS 7.1, PAN-OS 9.0, or later PAN-OS versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-134 Use of Externally-Controlled Format String"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.paloaltonetworks.com/CVE-2020-1979",
"refsource": "MISC",
"url": "https://security.paloaltonetworks.com/CVE-2020-1979"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in PAN-OS 8.1.13 and all later PAN-OS 8.1 versions."
}
],
"source": {
"defect": [
"PAN-97584"
],
"discovery": "USER"
},
"timeline": [
{
"lang": "en",
"time": "2020-03-11T00:00:00",
"value": "Initial publication"
},
{
"lang": "en",
"time": "2020-05-12T00:00:00",
"value": "Updated attack vector, description and acknowledgement."
}
],
"work_around": [
{
"lang": "en",
"value": "This issue affects the management interface of Panorama and is mitigated by following best practices for securing the Panorama management interface. Our best practices guidelines reduce the exposure of the management interface to potential attackers. Please review the Best Practices for Securing Administrative Access in the PAN-OS 8.1 technical documentation, available at: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2020-1979",
"datePublished": "2020-03-11T18:58:21.177187Z",
"dateReserved": "2019-12-04T00:00:00",
"dateUpdated": "2024-09-17T00:10:53.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Requirements
Description:
- Choose a language that is not subject to this flaw.
Mitigation
Phase: Implementation
Description:
- Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Phase: Build and Compilation
Description:
- Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.