CVE-2017-12613

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 24-10-2017 03:29

Last modified: - 18-04-2022 08:16

Total changes: - 8

Description

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Low

Attack complexity

Local

Attack vector

High

Availability

High

Confidentiality

None

Integrity

Low

Privileges required

Unchanged

Scope

None

User interaction

7.1

Base score

1.8

5.2

Exploitability score

Impact score

Verification logic

vendor=apache AND product=portable_runtime AND versionEndExcluding=1.7.0

vendor=Debian AND product=debian_linux AND version=7.0

vendor=Debian AND product=debian_linux AND version=9.0

vendor=Red Hat Enterprise Linux AND product=jboss_core_services AND version=-

vendor=Red Hat Enterprise Linux AND product=jboss_core_services AND version=1.0

vendor=Red Hat Enterprise Linux AND product=jboss_enterprise_web_server AND version=3.0.0

vendor=Red Hat Enterprise Linux AND product=software_collections AND version=1.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_desktop AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_desktop AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=6.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.3

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.5

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_eus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server AND version=7.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=6.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=6.5

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=6.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.2

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.3

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_aus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=6.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.2

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.3

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.4

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.6

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_server_tus AND version=7.7

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_workstation AND version=6.0

vendor=Red Hat Enterprise Linux AND product=enterprise_linux_workstation AND version=7.0

Reference

[announce] 20171023 Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released-Issue Tracking, Vendor Advisory
101560-Broken Link
https://svn.apache.org/viewvc?view=revision&revision=1807976
RHSA-2017:3270-Third Party Advisory
RHSA-2017:3477-Third Party Advisory
RHSA-2017:3476-Third Party Advisory
RHSA-2017:3475-Third Party Advisory
http://www.apache.org/dist/apr/Announcement1.x.html
[debian-lts-announce] 20171106 [SECURITY] [DLA 1162-1] apr security update-Mailing List, Third Party Advisory
RHSA-2018:0316-Third Party Advisory
RHSA-2018:0466-Third Party Advisory
RHSA-2018:0465-Third Party Advisory
RHSA-2018:1253-Third Party Advisory
1042004-Third Party Advisory, VDB Entry
[apr-commits] 20210816 svn commit: r1892358 - /apr/apr/branches/1.7.x/CHANGES-Mailing List, Patch, Vendor Advisory
[apr-commits] 20210820 svn commit: r49582 - /release/apr/patches/apr-1.7.0-CVE-2021-35940.patch-Mailing List, Patch, Vendor Advisory
[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613-Mailing List, Third Party Advisory
[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613-Mailing List, Vendor Advisory
[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613-Mailing List, Vendor Advisory
[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613-Mailing List, Vendor Advisory
[debian-lts-announce] 20220124 [SECURITY] [DLA 2897-1] apr security update-Mailing List, Third Party Advisory

Keywords

CVE-2017-12613

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2017-12613

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures