CVE Vulnerabilities

CVE-2017-2808

Use After Free

Published: Sep 05, 2017 | Modified: Apr 20, 2025
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An exploitable use-after-free vulnerability exists in the account parsing component of the Ledger-CLI 3.1.1. A specially crafted ledger file can cause a use-after-free vulnerability resulting in arbitrary code execution. An attacker can convince a user to load a journal file to trigger this vulnerability.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name Vendor Start Version End Version
Ledger Ledger-cli 3.1.1 (including) 3.1.1 (including)
Ledger Ubuntu artful *
Ledger Ubuntu bionic *
Ledger Ubuntu cosmic *
Ledger Ubuntu devel *
Ledger Ubuntu disco *
Ledger Ubuntu eoan *
Ledger Ubuntu esm-apps/bionic *
Ledger Ubuntu esm-apps/focal *
Ledger Ubuntu esm-apps/jammy *
Ledger Ubuntu esm-apps/noble *
Ledger Ubuntu esm-apps/xenial *
Ledger Ubuntu focal *
Ledger Ubuntu groovy *
Ledger Ubuntu hirsute *
Ledger Ubuntu impish *
Ledger Ubuntu jammy *
Ledger Ubuntu kinetic *
Ledger Ubuntu lunar *
Ledger Ubuntu mantic *
Ledger Ubuntu noble *
Ledger Ubuntu oracular *
Ledger Ubuntu plucky *
Ledger Ubuntu xenial *
Ledger Ubuntu zesty *

Potential Mitigations

References