A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7168-1 advisory.

    It was discovered that EditorConfig improperly managed memory when handling certain inputs, leading to     overflows. An attacker could possibly use these issues to cause a denial of service, or execute arbitrary     code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3978 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3978-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                    Thorsten Alteholz     November 30, 2024                             https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : editorconfig-core     Version        : 0.12.1-1.1+deb11u1     CVE ID         : CVE-2023-0341 CVE-2024-53849


    Two issues have been found in editorconfig-core, a coding style indenter     for all editors. Both issues are related to buffer overflows in different     locations.



    For Debian 11 bullseye, these problems have been fixed in version     0.12.1-1.1+deb11u1.

    We recommend that you upgrade your editorconfig-core packages.

    For the detailed security status of editorconfig-core please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/editorconfig-core

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202411-04 (EditorConfig core C library: arbitrary stack write)

    A vulnerability has been discovered in EditorConfig Core C library. Please review the CVE identifier     referenced below for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-6e5d4757df advisory.

    Security fix for CVE-2023-0341: update to 0.12.6 (close RHBZ#2162811)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2023:0102-1 advisory.

  - A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed     an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-     core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.
    (CVE-2023-0341)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-5842-1 advisory.

    Mark Esler and David Fernandez Gonzalez discovered that EditorConfig Core C incorrectly handled memory     when handling certain inputs. An attacker could possibly use this issue to cause applications using     EditorConfig Core C to crash, resulting in a denial of service, or possibly execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
213096	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : EditorConfig vulnerabilities (USN-7168-1)	Nessus	Ubuntu Local Security Checks	medium
211975	Debian dla-3978 : editorconfig - security update	Nessus	Debian Local Security Checks	medium
210449	GLSA-202411-04 : EditorConfig core C library: arbitrary stack write	Nessus	Gentoo Local Security Checks	high
176548	Fedora 37 : editorconfig (2023-6e5d4757df)	Nessus	Fedora Local Security Checks	high
175128	openSUSE 15 Security Update : editorconfig-core-c (openSUSE-SU-2023:0102-1)	Nessus	SuSE Local Security Checks	high
171014	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : EditorConfig Core C vulnerability (USN-5842-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2023-0341

high

Tenable Plugins

medium

medium

high

high

high

high