FreeBSD : ledger -- multiple vulnerabilities (d843a984-7f22-484f-ba81-483ddbe30dc3)
Medium Nessus Plugin ID 103482
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionTalos reports :
An exploitable buffer overflow vulnerability exists in the tag parsing functionality of Ledger-CLI 3.1.1. A specially crafted journal file can cause an integer underflow resulting in code execution. An attacker can construct a malicious journal file to trigger this vulnerability.
An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.
SolutionUpdate the affected package.