CVE-2018-4038

An exploitable arbitrary write vulnerability exists in the open document format parser of the Atlantis Word Processor, version 3.2.7.2, while trying to null-terminate a string. A specially crafted document can allow an attacker to pass an untrusted value as a length to a constructor. This constructor will miscalculate a length and then use it to calculate the position to write a null byte. This can allow an attacker to corrupt memory, which can result in code execution under the context of the application. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability.

CVSS v3 7.8 HIGH
CVSS v2.0 6.8 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0711	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlantiswordprocessor:atlantis_word_processor:3.2.7.1:::::::*
	cpe:2.3:a:atlantiswordprocessor:atlantis_word_processor:3.2.7.2:::::::*

History

07 Jun 2022, 17:22

Type	Values Removed	Values Added
CWE	~~CWE-123~~	CWE-131

Information

Published : 2018-12-01 18:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-4038

Mitre link : CVE-2018-4038

CVE.ORG link : CVE-2018-4038

JSON object : View

Products Affected

atlantiswordprocessor

atlantis_word_processor

CWE

CWE-131

Incorrect Calculation of Buffer Size

{"id": "CVE-2018-4038", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "talos-cna@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2018-12-01T18:29:00.200", "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0711", "tags": ["Exploit", "Third Party Advisory"], "source": "talos-cna@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-131"}]}], "descriptions": [{"lang": "en", "value": "An exploitable arbitrary write vulnerability exists in the open document format parser of the Atlantis Word Processor, version 3.2.7.2, while trying to null-terminate a string. A specially crafted document can allow an attacker to pass an untrusted value as a length to a constructor. This constructor will miscalculate a length and then use it to calculate the position to write a null byte. This can allow an attacker to corrupt memory, which can result in code execution under the context of the application. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable de escritura arbitraria en el analizador de ODF (Open Document Format) de Word de Atlantis Word Processor 3.2.7.2 al internar terminar una cadena en NULL. Un documento especialmente manipulado puede permitir que un atacante pase un valor no fiable como longitud para un constructor. Dicho constructor calcular\u00e1 err\u00f3neamente una longitud y, despu\u00e9s, la emplear\u00e1 para calcular la posici\u00f3n para escribir un byte null. Esto puede permitir que un atacante corrompa la memoria, lo que resulta en la ejecuci\u00f3n de c\u00f3digo bajo el contexto de la aplicaci\u00f3n. Un atacante debe convencer a una v\u00edctima para que abra un documento especialmente manipulado para provocar esta vulnerabilidad."}], "lastModified": "2022-06-07T17:22:05.797", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlantiswordprocessor:atlantis_word_processor:3.2.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83AC760D-359D-4D6D-AE41-266ED2AD3B49"}, {"criteria": "cpe:2.3:a:atlantiswordprocessor:atlantis_word_processor:3.2.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F4E012C-5A61-4665-A297-D8FFCB1236EC"}], "operator": "OR"}]}], "sourceIdentifier": "talos-cna@cisco.com"}