6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
82.2%
Medium
Canonical Ubuntu
It was discovered that ncurses was incorrectly performing bounds checks when processing invalid hashcodes. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-17594) It was discovered that ncurses was incorrectly handling end-of-string characters when processing terminfo and termcap files. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-17595) It was discovered that ncurses was incorrectly handling end-of-string characters when converting between termcap and terminfo formats. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-39537) It was discovered that ncurses was incorrectly performing bounds checks when dealing with corrupt terminfo data while reading a terminfo file. An attacker could possibly use this issue to cause a denial of service or to expose sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-29458) It was discovered that ncurses was parsing environment variables when running with setuid applications and not properly handling the processing of malformed data when doing so. A local attacker could possibly use this issue to cause a denial of service (application crash) or execute arbitrary code. (CVE-2023-29491) Update Instructions: Run sudo pro fix USN-6099-1
to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libx32ncurses5 – 6.0+20160213-1ubuntu1+esm3 lib32tinfo-dev – 6.0+20160213-1ubuntu1+esm3 ncurses-examples – 6.0+20160213-1ubuntu1+esm3 lib32ncurses5-dev – 6.0+20160213-1ubuntu1+esm3 lib32ncursesw5 – 6.0+20160213-1ubuntu1+esm3 libtinfo-dev – 6.0+20160213-1ubuntu1+esm3 libncursesw5 – 6.0+20160213-1ubuntu1+esm3 libtinfo5 – 6.0+20160213-1ubuntu1+esm3 lib64tinfo5 – 6.0+20160213-1ubuntu1+esm3 lib32ncurses5 – 6.0+20160213-1ubuntu1+esm3 libncurses5-dev – 6.0+20160213-1ubuntu1+esm3 ncurses-bin – 6.0+20160213-1ubuntu1+esm3 lib64ncurses5 – 6.0+20160213-1ubuntu1+esm3 lib64ncurses5-dev – 6.0+20160213-1ubuntu1+esm3 libncurses5 – 6.0+20160213-1ubuntu1+esm3 libx32ncurses5-dev – 6.0+20160213-1ubuntu1+esm3 lib32tinfo5 – 6.0+20160213-1ubuntu1+esm3 ncurses-base – 6.0+20160213-1ubuntu1+esm3 lib32ncursesw5-dev – 6.0+20160213-1ubuntu1+esm3 ncurses-doc – 6.0+20160213-1ubuntu1+esm3 libx32ncursesw5 – 6.0+20160213-1ubuntu1+esm3 libx32ncursesw5-dev – 6.0+20160213-1ubuntu1+esm3 libx32tinfo-dev – 6.0+20160213-1ubuntu1+esm3 libx32tinfo5 – 6.0+20160213-1ubuntu1+esm3 libncursesw5-dev – 6.0+20160213-1ubuntu1+esm3 ncurses-term – 6.0+20160213-1ubuntu1+esm3 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro
CVEs contained in this USN include: CVE-2019-17594, CVE-2019-17595, CVE-2021-39537, CVE-2022-29458, CVE-2023-29491.
Severity is medium unless otherwise noted.
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
2023-06-05: Initial vulnerability report published.
CPE | Name | Operator | Version |
---|---|---|---|
bionic stemcells | lt | 1.204 | |
cflinuxfs3 | lt | 0.367.0 | |
cflinuxfs4 | lt | 1.10.0 | |
jammy stemcells | lt | 1.125 | |
cf deployment | lt | 30.0.0 |
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
82.2%