CVE-2011-3626 : Double free vulnerability in the prepare_exec function in src/exec.c in Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 a

Double free vulnerability in the prepare_exec function in src/exec.c in Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 and earlier, allows remote attackers to execute arbitrary commands via crafted strings in a log file.

Published 2012-01-27 15:55:04

Updated 2012-01-30 05:00:00

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2011-3626

Probability of exploitation activity in the next 30 days: 0.81%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 81 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2011-3626

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2011-3626

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-3626

https://bugs.gentoo.org/show_bug.cgi?id=387397

387397 – (CVE-2011-3626) <app-admin/logsurfer+-1.8 Double-free Vulnerability (CVE-2011-3626)
Patch;Vendor Advisory
http://www.openwall.com/lists/oss-security/2011/10/17/4

oss-security - Re: CVE request: double-free vulnerability in logsurfer
http://www.openwall.com/lists/oss-security/2011/10/17/2

oss-security - CVE request: double-free vulnerability in logsurfer
Patch
http://security.gentoo.org/glsa/glsa-201201-04.xml

Logsurfer: Arbitrary code execution (GLSA 201201-04) — Gentoo security
Vendor Advisory

Products affected by CVE-2011-3626

Drusus » Logsurfer
Versions up to, including, (<=) 1.5b
cpe:2.3:a:drusus:logsurfer:*:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.5a
cpe:2.3:a:drusus:logsurfer:1.5a:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.5
cpe:2.3:a:drusus:logsurfer:1.5:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.5 Update Beta2
cpe:2.3:a:drusus:logsurfer:1.5:beta2:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.41
cpe:2.3:a:drusus:logsurfer:1.41:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.3
cpe:2.3:a:drusus:logsurfer:1.3:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.2
cpe:2.3:a:drusus:logsurfer:1.2:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.1
cpe:2.3:a:drusus:logsurfer:1.1:*:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.5 Update Beta
cpe:2.3:a:drusus:logsurfer:1.5:beta:*:*:*:*:*:*
Matching versions
Drusus » Logsurfer » Version: 1.4
cpe:2.3:a:drusus:logsurfer:1.4:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+
Versions up to, including, (<=) 1.7
cpe:2.3:a:kerry_thompson:logsurfer\+:*:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+ » Version: 1.5b
cpe:2.3:a:kerry_thompson:logsurfer\+:1.5b:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+ » Version: 1.5a
cpe:2.3:a:kerry_thompson:logsurfer\+:1.5a:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+ » Version: 1.6b
cpe:2.3:a:kerry_thompson:logsurfer\+:1.6b:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+ » Version: 1.6
cpe:2.3:a:kerry_thompson:logsurfer\+:1.6:*:*:*:*:*:*:*
Matching versions
Kerry Thompson » Logsurfer+ » Version: 1.6a
cpe:2.3:a:kerry_thompson:logsurfer\+:1.6a:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2011-3626

Exploit prediction scoring system (EPSS) score for CVE-2011-3626

CVSS scores for CVE-2011-3626

CWE ids for CVE-2011-3626

References for CVE-2011-3626

Products affected by CVE-2011-3626