CVE-2016-4331
Published: 18 November 2016
When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.
From the Ubuntu Security Team
It was discovered that HDF5 incorrectly handled decoding of data. An attacker could possibly use this issue to execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
hdf5 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(1.10.0-patch1+docs-1~exp5)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(1.8.11-5ubuntu7.1)
|
|
upstream |
Released
(1.8.18)
|
|
xenial |
Released
(1.8.16+docs-4ubuntu1.1)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.6 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |