Vulnerability Name:

CVE-2017-17969

Assigned:2017-12-29
Published:2017-12-29
Updated:2018-02-15
Summary:Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeReal method in 7-Zip before 18.00 and p7zip allows remote attackers to cause a denial of service (out-of-bounds write) or potentially execute arbitrary code via a crafted ZIP archive.
CVSS v3 Severity:7.8 High (CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.8 High (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-787
References:Source: XF
Type: UNKNOWN
7zip-cve201717969-bo(138443)

Source: MISC
Type: VENDOR_ADVISORY
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/

Source: MLIST
Type: VENDOR_ADVISORY
[debian-lts-announce] 20180202 [SECURITY] [DLA 1268-1] p7zip security update

Source: DEBIAN
Type: VENDOR_ADVISORY
DSA-4104

Vulnerable Configuration:Configuration 1:
  • cpe:/a:7-zip:7-zip:3.13:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.20:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.23:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.24:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.25:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.26:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.27:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.28:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.29:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.30:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.31:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.32:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.33:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.34:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.35:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.36:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.37:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.38:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.39:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.40:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.41:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.42:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.43:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.44:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.45:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.46:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.47:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.48:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.49:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.50:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.51:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.52:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.53:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.54:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.55:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.56:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.57:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.58:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.59:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.60:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.61:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.62:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.63:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.64:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.65:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:4.65::~~~~x64~:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.04:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.06:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.07:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.10:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.11:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.12:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.13:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.20:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.20::~~~~x64~:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:9.22:beta:*:*:*:*:*:*
  • OR cpe:/a:7-zip:7-zip:15.14:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:0.80:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:0.81:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:0.90:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:0.91:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.10:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.12:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.13:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.14:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.14.01:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.16:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.18:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.20:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.27:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.29:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.30:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.33:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.37:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.39:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.42:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.43:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.44:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.45:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.47:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.48:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.49:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.51:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.53:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.55:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.57:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.58:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.61:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:4.65:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:9.04:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:9.20.1:*:*:*:*:*:*:*
  • OR cpe:/a:7-zip:p7zip:16.02:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201717969
    V
    CVE-2017-17969
    2018-02-18
    oval:com.ubuntu.xenial:def:201717969000
    V
    CVE-2017-17969 on Ubuntu 16.04 LTS (xenial) - untriaged.
    2018-01-30
    oval:com.ubuntu.trusty:def:201717969000
    V
    CVE-2017-17969 on Ubuntu 14.04 LTS (trusty) - untriaged.
    2018-01-30
    oval:com.ubuntu.artful:def:201717969000
    V
    CVE-2017-17969 on Ubuntu 17.10 (artful) - untriaged.
    2018-01-30
    BACK
    7-zip 7-zip 3.13
    7-zip 7-zip 4.20
    7-zip 7-zip 4.23
    7-zip 7-zip 4.24 beta
    7-zip 7-zip 4.25 beta
    7-zip 7-zip 4.26 beta
    7-zip 7-zip 4.27 beta
    7-zip 7-zip 4.28 beta
    7-zip 7-zip 4.29 beta
    7-zip 7-zip 4.30 beta
    7-zip 7-zip 4.31
    7-zip 7-zip 4.32
    7-zip 7-zip 4.33 beta
    7-zip 7-zip 4.34 beta
    7-zip 7-zip 4.35 beta
    7-zip 7-zip 4.36 beta
    7-zip 7-zip 4.37 beta
    7-zip 7-zip 4.38 beta
    7-zip 7-zip 4.39 beta
    7-zip 7-zip 4.40 beta
    7-zip 7-zip 4.41 beta
    7-zip 7-zip 4.42
    7-zip 7-zip 4.43 beta
    7-zip 7-zip 4.44 beta
    7-zip 7-zip 4.45 beta
    7-zip 7-zip 4.46 beta
    7-zip 7-zip 4.47 beta
    7-zip 7-zip 4.48 beta
    7-zip 7-zip 4.49 beta
    7-zip 7-zip 4.50 beta
    7-zip 7-zip 4.51 beta
    7-zip 7-zip 4.52 beta
    7-zip 7-zip 4.53 beta
    7-zip 7-zip 4.54 beta
    7-zip 7-zip 4.55 beta
    7-zip 7-zip 4.56 beta
    7-zip 7-zip 4.57
    7-zip 7-zip 4.58 beta
    7-zip 7-zip 4.59 beta
    7-zip 7-zip 4.60 beta
    7-zip 7-zip 4.61 beta
    7-zip 7-zip 4.62
    7-zip 7-zip 4.63
    7-zip 7-zip 4.64
    7-zip 7-zip 4.65
    7-zip 7-zip 4.65
    7-zip 7-zip 9.04 beta
    7-zip 7-zip 9.06 beta
    7-zip 7-zip 9.07 beta
    7-zip 7-zip 9.10 beta
    7-zip 7-zip 9.11 beta
    7-zip 7-zip 9.12 beta
    7-zip 7-zip 9.13 beta
    7-zip 7-zip 9.20
    7-zip 7-zip 9.20
    7-zip 7-zip 9.22 beta
    7-zip 7-zip 15.14
    7-zip p7zip 0.80
    7-zip p7zip 0.81
    7-zip p7zip 0.90
    7-zip p7zip 0.91
    7-zip p7zip 4.10
    7-zip p7zip 4.12
    7-zip p7zip 4.13
    7-zip p7zip 4.14
    7-zip p7zip 4.14.01
    7-zip p7zip 4.16
    7-zip p7zip 4.18
    7-zip p7zip 4.20
    7-zip p7zip 4.27
    7-zip p7zip 4.29
    7-zip p7zip 4.30
    7-zip p7zip 4.33
    7-zip p7zip 4.37
    7-zip p7zip 4.39
    7-zip p7zip 4.42
    7-zip p7zip 4.43
    7-zip p7zip 4.44
    7-zip p7zip 4.45
    7-zip p7zip 4.47
    7-zip p7zip 4.48
    7-zip p7zip 4.49
    7-zip p7zip 4.51
    7-zip p7zip 4.53
    7-zip p7zip 4.55
    7-zip p7zip 4.57
    7-zip p7zip 4.58
    7-zip p7zip 4.61
    7-zip p7zip 4.65
    7-zip p7zip 9.04
    7-zip p7zip 9.20.1
    7-zip p7zip 16.02
    debian debian linux 7.0
    debian debian linux 8.0
    debian debian linux 9.0