Out-of-bounds Read Affecting clamav package, versions <0.102.2+dfsg-0ubuntu0.14.04.1+esm1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1404-CLAMAV-548527
- published 8 Feb 2020
- disclosed 5 Feb 2020
Introduced: 5 Feb 2020
CVE-2020-3123 Open this link in a new tabHow to fix?
Upgrade Ubuntu:14.04 clamav to version 0.102.2+dfsg-0ubuntu0.14.04.1+esm1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream clamav package and not the clamav package as distributed by Ubuntu.
See How to fix? for Ubuntu:14.04 relevant fixed versions and status.
A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-3123
- https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs59062
- https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
- https://security-tracker.debian.org/tracker/CVE-2020-3123
- https://security.gentoo.org/glsa/202003-46
- https://usn.ubuntu.com/4280-1/
- https://usn.ubuntu.com/4280-2/