CVE-2024-3209

Name
CVE-2024-3209
Description
A vulnerability was found in UPX up to 4.2.2. It has been rated as critical. This issue affects the function get_ne64 of the file bele.h. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259055. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
exploit https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
signature https://vuldb.com/?ctiid.259055
vdb-entry https://vuldb.com/?id.259055
third-party-advisory https://vuldb.com/?submit.304575
cna@vuldb.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZHWZN2NX5W3WYA6ACJ746PAZXXNZETKD/
cna@vuldb.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J4DNK3AFPT4KIPTBKGCJ6FC3L7AWI2TN/
cna@vuldb.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AE5OZ7YUEVLXVVS6PFP5RELVICQ4K6QK/

Match rules

CPE URI Source package Min version Max version
upx == 4.2.0 == 4.2.0
upx == 4.2.1 == 4.2.1
upx == 4.2.2 == 4.2.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
upx 3.19-community 4.2.1-r0 Celeste <cielesti@protonmail.com> possibly vulnerable