CVE-2023-52169

HIGH

7-Zip <24.01 - Memory Corruption

Title source: llm

Description

The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.

References (5)

Core 5

Core References

Product

https://sourceforge.net/p/sevenzip/bugs/2402/

Various Sources

https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241122-0011/

Mailing List

https://www.openwall.com/lists/oss-security/2024/07/03/10

Mailing List mailing-list

http://www.openwall.com/lists/oss-security/2024/07/03/10

Scores

CVSS v3 8.2

EPSS 0.0018

EPSS Percentile 38.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-125

Status published

Published Jul 03, 2024

Tracked Since Feb 18, 2026