CVE-2023-37328

CVE Details

Release Date:2023-07-05

Description


GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\nThe specific flaw exists within the parsing of PGS subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20994.

See more information about CVE-2023-37328 from MITRE CVE dictionary and NIST NVD


CVSS v3.0 metrics


NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.

Base Score: 5.5 Base Metrics: AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Access Vector: Local network Attack Complexity: Low
Privileges Required: None User Interaction: Required
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (gstreamer1-plugins-base)ELSA-2024-30882024-05-23
Oracle Linux version 9 (gstreamer1-plugins-base)ELSA-2024-23022024-05-02



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete