Out-of-bounds Write Affecting clamav package, versions <0.101.2+dfsg-1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
4.21% (93rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN11-CLAMAV-517439
  • published31 Mar 2019
  • disclosed8 Apr 2019

Introduced: 31 Mar 2019

CVE-2019-1788  (opens in a new tab)
CWE-787  (opens in a new tab)

How to fix?

Upgrade Debian:11 clamav to version 0.101.2+dfsg-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream clamav package and not the clamav package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for OLE2 files sent an affected device. An attacker could exploit this vulnerability by sending malformed OLE2 files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds write condition, resulting in a crash that could result in a denial of service condition on an affected device.

CVSS Scores

version 3.1