7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
76.6%
sysstat is a set of system performance tools for the Linux operating
system. On 32 bit systems, in versions 9.1.16 and newer but prior to
12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The
allocate_structures function insufficiently checks bounds before arithmetic
multiplication, allowing for an overflow in the size allocated for the
buffer representing system activities. This issue may lead to Remote Code
Execution (RCE). This issue has been patched in version 12.7.1.
Author | Note |
---|---|
rodrigo-zaiden | incomplete fix for this CVE caused CVE-2023-33204. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | sysstat | < 11.6.1-1ubuntu0.2 | UNKNOWN |
ubuntu | 20.04 | noarch | sysstat | < 12.2.0-2ubuntu0.2 | UNKNOWN |
ubuntu | 22.04 | noarch | sysstat | < 12.5.2-2ubuntu0.1 | UNKNOWN |
ubuntu | 22.10 | noarch | sysstat | < 12.5.6-1ubuntu0.1 | UNKNOWN |
ubuntu | 23.04 | noarch | sysstat | < 12.5.6-1ubuntu1 | UNKNOWN |
ubuntu | 14.04 | noarch | sysstat | < 10.2.0-1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 16.04 | noarch | sysstat | < 11.2.0-1ubuntu0.3+esm1 | UNKNOWN |
github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x
launchpad.net/bugs/cve/CVE-2022-39377
nvd.nist.gov/vuln/detail/CVE-2022-39377
security-tracker.debian.org/tracker/CVE-2022-39377
ubuntu.com/security/notices/USN-5735-1
ubuntu.com/security/notices/USN-5748-1
ubuntu.com/security/notices/USN-6145-1
www.cve.org/CVERecord?id=CVE-2022-39377