{"containers": {"cna": {"affected": [{"product": "augeas", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "up to and including 1.8.0"}]}], "datePublic": "2017-08-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-07T13:06:20.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://puppet.com/security/cve/cve-2017-7555"}, {"name": "100378", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100378"}, {"name": "RHSA-2017:2788", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2788"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/hercules-team/augeas/pull/480"}, {"name": "DSA-3949", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-3949"}, {"name": "RHSA-2019:2403", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2403"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "DATE_PUBLIC": "2017-08-17T00:00:00", "ID": "CVE-2017-7555", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "augeas", "version": {"version_data": [{"version_value": "up to and including 1.8.0"}]}}]}, "vendor_name": "Red Hat, Inc."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122"}]}]}, "references": {"reference_data": [{"name": "https://puppet.com/security/cve/cve-2017-7555", "refsource": "CONFIRM", "url": "https://puppet.com/security/cve/cve-2017-7555"}, {"name": "100378", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100378"}, {"name": "RHSA-2017:2788", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2788"}, {"name": "https://github.com/hercules-team/augeas/pull/480", "refsource": "MISC", "url": "https://github.com/hercules-team/augeas/pull/480"}, {"name": "DSA-3949", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-3949"}, {"name": "RHSA-2019:2403", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2403"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:12.052Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppet.com/security/cve/cve-2017-7555"}, {"name": "100378", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100378"}, {"name": "RHSA-2017:2788", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2788"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hercules-team/augeas/pull/480"}, {"name": "DSA-3949", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2017/dsa-3949"}, {"name": "RHSA-2019:2403", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2403"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7555", "datePublished": "2017-08-17T19:00:00.000Z", "dateReserved": "2017-04-05T00:00:00.000Z", "dateUpdated": "2024-09-17T02:36:08.138Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:augeas:augeas:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E6A5F03-A1F0-42AC-BBCF-A37EC722618A", "versionEndIncluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution."}, {"lang": "es", "value": "Augeas en sus versiones hasta la 1.8.0 (esta incluida) es vulnerable a un desbordamiento de b\u00fafer basado en memoria din\u00e1mica debido a una gesti\u00f3n indebida de strings escapados. Un atacante podr\u00eda enviar strings manipulados que har\u00edan que la aplicaci\u00f3n que emplea Augeas copie y pegue el final de un b\u00fafer, provocando un bloqueo o una posible ejecuci\u00f3n de c\u00f3digo."}], "id": "CVE-2017-7555", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-08-17T19:29:00.223", "references": [{"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2017/dsa-3949"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100378"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2017:2788"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2019:2403"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/hercules-team/augeas/pull/480"}, {"source": "secalert@redhat.com", "url": "https://puppet.com/security/cve/cve-2017-7555"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2017/dsa-3949"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100378"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2017:2788"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:2403"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/hercules-team/augeas/pull/480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://puppet.com/security/cve/cve-2017-7555"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Han Han (Red Hat).", "affected_release": [{"advisory": "RHSA-2017:2788", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "augeas-0:1.4.0-2.el7_4.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-09-21T00:00:00Z"}, {"advisory": "RHSA-2019:2403", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "augeas-0:1.4.0-2.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:2403", "cpe": "cpe:/o:redhat:rhel_tus:7.3", "package": "augeas-0:1.4.0-2.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date": "2019-08-07T00:00:00Z"}, {"advisory": "RHSA-2019:2403", "cpe": "cpe:/o:redhat:rhel_e4s:7.3", "package": "augeas-0:1.4.0-2.el7_3.1", "product_name": "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date": "2019-08-07T00:00:00Z"}], "bugzilla": {"description": "augeas: Improper handling of escaped strings leading to memory corruption", "id": "1478373", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1478373"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20->CWE-122", "details": ["Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution.", "A vulnerability was discovered in augeas affecting the handling of escaped strings. An attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution."], "name": "CVE-2017-7555", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "augeas", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "rhev-hypervisor", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack-installer:6", "fix_state": "Will not fix", "package_name": "augeas", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Out of support scope", "package_name": "rhev-hypervisor6", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "augeas", "product_name": "Red Hat Storage 3"}], "public_date": "2017-08-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7555\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7555"], "threat_severity": "Important"}

{}