Alpine: multiple clamav packages, multiple freshclam packages: security update to 1.0.1-r0

critical Tenable Cloud Security Plugin ID 403854

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability
in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7
and earlier could allow an unauthenticated, remote attacker to execute arbitrary code. This vulnerability
is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could
exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an
affected device. A successful exploit could allow the attacker to execute arbitrary code with the
privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service
(DoS) condition. For a description of this vulnerability, see the ClamAV blog
["https://blog.clamav.net/"]. (CVE-2023-20032)

- On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability
in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier
could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
This vulnerability is due to enabling XML entity substitution that may result in XML external entity
injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by
ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file
that may be read by the ClamAV scanning process. (CVE-2023-20052)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-20032

https://security.alpinelinux.org/vuln/CVE-2023-20052

Plugin Details

Severity: Critical

ID: 403854

Version: Revision 1.33

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-20032

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/16/2023

Reference Information

CVE: CVE-2023-20032, CVE-2023-20052