Vulnerabilities > CVE-2023-40889 - Out-of-bounds Write vulnerability in Zbar Project Zbar 0.23.90

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

zbar-project

CWE-787

critical

NVD

Published: 2023-08-29

Updated: 2024-11-21

Summary

A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

Vulnerable Configurations

Part	Description	Count
Application	Zbar_Project Zbar Project Zbar 0.23.90	1

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://hackmd.io/%40cspl/B1ZkFZv23
https://hackmd.io/%40cspl/B1ZkFZv23
https://lists.debian.org/debian-lts-announce/2023/12/msg00001.html
https://lists.debian.org/debian-lts-announce/2023/12/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25LZZQJGGZRPLKTRNRNOTAFQJIPS7WRP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25LZZQJGGZRPLKTRNRNOTAFQJIPS7WRP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DC7V5YCLCPB36J2KY6WLZCABFLBRB665/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DC7V5YCLCPB36J2KY6WLZCABFLBRB665/