CVE-2024-10573

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-10573
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

6.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/security/cve/CVE-2024-10573
https://bugzilla.redhat.com/show_bug.cgi?id=2322980
https://mpg123.org/cgi-bin/news.cgi#2024-10-26
http://www.openwall.com/lists/oss-security/2024/10/30/3
http://www.openwall.com/lists/oss-security/2024/10/31/4
http://www.openwall.com/lists/oss-security/2024/11/01/1
Configurations

No configuration.

History

21 Nov 2024, 08:48

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/10/30/3 -
  • () http://www.openwall.com/lists/oss-security/2024/10/31/4 -
  • () http://www.openwall.com/lists/oss-security/2024/11/01/1 -
Summary
  • (es) Se encontró un fallo de escritura fuera de los límites en mpg123 al manejar transmisiones creadas. Al decodificar PCM, libmpg123 puede escribir más allá del final de un búfer ubicado en el almacenamiento dinámico. En consecuencia, puede ocurrir una corrupción del almacenamiento dinámico y no se descarta la ejecución de código arbitrario. La complejidad requerida para explotar este fallo se considera alta ya que el payload debe ser validado por el decodificador MPEG y el sintetizador PCM antes de la ejecución. Además, para ejecutar el ataque con éxito, el usuario debe escanear la transmisión, lo que hace que el contenido de transmisión en vivo web (como radios web) sea un vector de ataque muy poco probable.

31 Oct 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-31 19:15

Updated : 2024-11-21 08:48

NVD link : CVE-2024-10573

Mitre link : CVE-2024-10573

CVE.ORG link : CVE-2024-10573

JSON object : View

Products Affected

No product.

CWE
CWE-787

Out-of-bounds Write


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024