CVE-2023-0687
Published: 6 February 2023
** DISPUTED ** A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled.
Notes
| Author | Note |
|---|---|
| iconstantin | Upstream does not consider this to be a security issue and is disputing the CVE. |
| mdeslaur | marking as not-affected due to the issue being disputed |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
eglibc Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
glibc Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |