製品・ソフトウェアに関する情報

JVN脆弱性詳細

cURL および libcurl における整数オーバーフローの脆弱性

Title	cURL および libcurl における整数オーバーフローの脆弱性
Summary	cURL および libcurl には、整数オーバーフローの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 6, 2017, midnight
Registration Date	Dec. 27, 2017, 3:06 p.m.
Last Update	Dec. 27, 2017, 3:06 p.m.

Affected System

Debian

Debian GNU/Linux 8.0

Debian GNU/Linux 9.0

Haxx

cURL 7.57.0 未満

libcurl 7.57.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-8816	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816
National Vulnerability Database (NVD)
2	CVE-2017-8816	https://nvd.nist.gov/vuln/detail/CVE-2017-8816

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-190	https://cwe.mitre.org/data/definitions/190.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-4051	https://www.debian.org/security/2017/dsa-4051
Security Advisory
2	NTLM buffer overflow via integer overflow	https://curl.haxx.se/docs/adv_2017-12e7.html

その他

No	Name	URL
関連文書
1	CLD-161 Details	http://security.cucumberlinux.com/security/details.php?id=161

Change Log

No	Changed Details	Date of change
0	[2017年12月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-8816

Summary	The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
Publication Date	Nov. 30, 2017, 3:29 a.m.
Registration Date	Jan. 26, 2021, 1:30 p.m.
Last Update	Nov. 21, 2024, 12:34 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://security.cucumberlinux.com/security/details.php?id=161	Third Party Advisory
2	http://security.cucumberlinux.com/security/details.php?id=161	Third Party Advisory
3	http://www.securityfocus.com/bid/101998	Third Party Advisory VDB Entry
4	http://www.securityfocus.com/bid/101998	Third Party Advisory VDB Entry
5	http://www.securitytracker.com/id/1039896	Third Party Advisory VDB Entry
6	http://www.securitytracker.com/id/1039896	Third Party Advisory VDB Entry
7	http://www.securitytracker.com/id/1040608
8	http://www.securitytracker.com/id/1040608
9	https://access.redhat.com/errata/RHSA-2018:3558
10	https://access.redhat.com/errata/RHSA-2018:3558
11	https://curl.haxx.se/docs/adv_2017-12e7.html	Mitigation Vendor Advisory
12	https://curl.haxx.se/docs/adv_2017-12e7.html	Mitigation Vendor Advisory
13	https://security.gentoo.org/glsa/201712-04	Third Party Advisory
14	https://security.gentoo.org/glsa/201712-04	Third Party Advisory
15	https://www.debian.org/security/2017/dsa-4051	Third Party Advisory
16	https://www.debian.org/security/2017/dsa-4051	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html