CVE-2017-12618LOW
Description
Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service.
References
http://www.securityfocus.com/bid/101558
http://www.securitytracker.com/id/1042004
https://lists.debian.org/debian-lts-announce/2017/11/msg00006.html
Details
Source: MITRE
Published: 2017-10-24
Updated: 2018-10-31
Type: CWE-125
Risk Information
CVSS v2.0
Base Score: 1.9
Vector: AV:L/AC:M/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 3.4
Severity: LOW
CVSS v3.0
Base Score: 4.7
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Impact Score: 3.6
Exploitability Score: 1
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:portable_runtime_utility:0.9.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:0.9.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.3.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:portable_runtime_utility:1.6.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 144074 | IBM HTTP Server 7.0.0.0 < 7.0.0.45 / 8.0.0.0 < 8.0.0.15 / 8.5.0.0 < 8.5.5.13 / 9.0.0.0 < 9.0.0.6 Multiple Vulnerabilities (298437) | Nessus | Web Servers | medium |
| 700518 | macOS < 10.14 Multiple Vulnerabilities | Nessus Network Monitor | Operating System Detection | critical |
| 118575 | macOS 10.13.6 Multiple Vulnerabilities (Security Update 2018-002) | Nessus | MacOS X Local Security Checks | critical |
| 118573 | macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-005) | Nessus | MacOS X Local Security Checks | critical |
| 118178 | macOS < 10.14 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
| 106532 | SUSE SLES11 Security Update : libapr-util1 (SUSE-SU-2018:0307-1) | Nessus | SuSE Local Security Checks | low |
| 105265 | openSUSE Security Update : libapr-util1 (openSUSE-2017-1370) | Nessus | SuSE Local Security Checks | low |
| 105253 | SUSE SLES12 Security Update : libapr-util1 (SUSE-SU-2017:3278-1) | Nessus | SuSE Local Security Checks | low |
| 105053 | Amazon Linux AMI : apr-util (ALAS-2017-929) | Nessus | Amazon Linux Local Security Checks | low |
| 104593 | Fedora 26 : apr-util (2017-329e5fb4c9) | Nessus | Fedora Local Security Checks | low |
| 104413 | Debian DLA-1163-1 : apr-util security update | Nessus | Debian Local Security Checks | low |