CVE-2022-3515
Published: 17 October 2022
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
From the Ubuntu Security Team
It was discovered that an integer overflow could be triggered in Libksba when decoding certain data. An attacker could use this issue to cause a denial of service (application crash) or possibly execute arbitrary code.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libksba Launchpad, Ubuntu, Debian |
focal |
Released
(1.3.5-2ubuntu0.20.04.1)
|
| jammy |
Released
(1.6.0-2ubuntu0.1)
|
|
| trusty |
Released
(1.3.0-3ubuntu0.14.04.2+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| xenial |
Released
(1.3.3-1ubuntu0.16.04.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(1.6.2-1)
|
|
| bionic |
Released
(1.3.5-2ubuntu0.18.04.1)
|
|
| kinetic |
Released
(1.6.0-3ubuntu1)
|
|
|
Patches: upstream: https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |