Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-21047

Published: 22 August 2023

The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
elfutils
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(0.186-1build1)
lunar Not vulnerable
(0.188-2.1)
bionic
Released (0.170-0.4ubuntu0.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
focal
Released (0.176-1.1ubuntu0.1)
upstream
Released (0.178)
trusty
Released (0.158-0ubuntu5.3+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (0.165-3ubuntu1.2+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=99dc63b10b3878616b85df2dfd2e4e7103e414b8

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H