CVE-2023-37921

Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearch functionality of GTKWave 3.3.115. A specially crafted .vcd file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the arbitrary write when triggered via the vcd2vzt conversion utility.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807	Exploit Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tonybybell:gtkwave:3.3.115:*:*:*:*:*:*:*

History

21 Nov 2024, 08:12

Type	Values Removed	Values Added
References	~~() https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html -
References	~~() https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807 - Exploit, Third Party Advisory~~	() https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807 - Exploit, Third Party Advisory

09 Apr 2024, 21:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html -

11 Jan 2024, 18:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:tonybybell:gtkwave:3.3.115:::::::*
CWE		NVD-CWE-Other
References	~~() https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807 -~~	() https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807 - Exploit, Third Party Advisory
Summary		(es) Existen múltiples vulnerabilidades de escritura arbitraria en la funcionalidad VCD sorted bsearch de GTKWave 3.3.115. Un archivo .vcd especialmente manipulado puede provocar la ejecución de código arbitrario. Una víctima necesitaría abrir un archivo malicioso para activar estas vulnerabilidades. Esta vulnerabilidad se refiere a la escritura arbitraria cuando se activa mediante la utilidad de conversión vcd2vzt.
First Time		Tonybybell gtkwave Tonybybell

08 Jan 2024, 18:15

Type	Values Removed	Values Added
References	~~{'url': 'https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1807', 'source': 'talos-cna@cisco.com'}~~

08 Jan 2024, 15:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-08 15:15

Updated : 2024-11-21 08:12

NVD link : CVE-2023-37921

Mitre link : CVE-2023-37921

CVE.ORG link : CVE-2023-37921

JSON object : View

Products Affected

tonybybell

gtkwave

CWE

CWE-118

Incorrect Access of Indexable Resource ('Range Error')

NVD-CWE-Other

7.8 /10