VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-4t2f-bfv9-aaan

Essentials
Severities (109)
References (35)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-4t2f-bfv9-aaan
Aliases	CVE-2017-1000257
Summary	An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-125	Out-of-bounds Read
CWE-126	Buffer Over-read

System	Score	Found at
generic_textual	Medium	http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000257.html
rhas	Important	https://access.redhat.com/errata/RHSA-2018:2486
cvssv3.1	9.8	https://access.redhat.com/errata/RHSA-2018:3558
generic_textual	CRITICAL	https://access.redhat.com/errata/RHSA-2018:3558
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000257.json
epss	0.00661	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.00661	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.00661	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.00697	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.00697	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.00697	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01023	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01078	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01889	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01889	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01889	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.01889	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02191	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
epss	0.02391	https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1503705
generic_textual	Medium	https://curl.haxx.se/docs/adv_20171023.html
cvssv3.1	Medium	https://curl.se/docs/CVE-2017-1000257.html
generic_textual	Medium	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
cvssv2	4	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3	4.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2	6.4	https://nvd.nist.gov/vuln/detail/CVE-2017-1000257
cvssv3	9.1	https://nvd.nist.gov/vuln/detail/CVE-2017-1000257
archlinux	Medium	https://security.archlinux.org/AVG-462
archlinux	Medium	https://security.archlinux.org/AVG-463
archlinux	Medium	https://security.archlinux.org/AVG-464
archlinux	Medium	https://security.archlinux.org/AVG-465
archlinux	Medium	https://security.archlinux.org/AVG-466
archlinux	Medium	https://security.archlinux.org/AVG-467
generic_textual	Negligible	https://ubuntu.com/security/notices/USN-3441-2
generic_textual	Medium	https://ubuntu.com/security/notices/USN-3457-1

Reference id	Reference type	URL
		http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000257.html
		https://access.redhat.com/errata/RHSA-2017:3263
		https://access.redhat.com/errata/RHSA-2018:3558
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000257.json
		https://api.first.org/data/v1/epss?cve=CVE-2017-1000257
		https://curl.haxx.se/docs/adv_20171023.html
		https://curl.se/docs/CVE-2017-1000257.html
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://security.gentoo.org/glsa/201712-04
		https://ubuntu.com/security/notices/USN-3441-2
		https://ubuntu.com/security/notices/USN-3457-1
		http://www.debian.org/security/2017/dsa-4007
		http://www.securityfocus.com/bid/101519
		http://www.securitytracker.com/id/1039644
1503705		https://bugzilla.redhat.com/show_bug.cgi?id=1503705
ASA-201711-10		https://security.archlinux.org/ASA-201711-10
ASA-201711-11		https://security.archlinux.org/ASA-201711-11
ASA-201711-6		https://security.archlinux.org/ASA-201711-6
ASA-201711-7		https://security.archlinux.org/ASA-201711-7
ASA-201711-8		https://security.archlinux.org/ASA-201711-8
ASA-201711-9		https://security.archlinux.org/ASA-201711-9
AVG-462		https://security.archlinux.org/AVG-462
AVG-463		https://security.archlinux.org/AVG-463
AVG-464		https://security.archlinux.org/AVG-464
AVG-465		https://security.archlinux.org/AVG-465
AVG-466		https://security.archlinux.org/AVG-466
AVG-467		https://security.archlinux.org/AVG-467
cpe:2.3:a:haxx:libcurl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:libcurl::::::::
cpe:2.3:o:debian:debian_linux:8.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:::::::*
CVE-2017-1000257		https://nvd.nist.gov/vuln/detail/CVE-2017-1000257
RHSA-2018:2486		https://access.redhat.com/errata/RHSA-2018:2486
USN-3441-2		https://usn.ubuntu.com/3441-2/
USN-3457-1		https://usn.ubuntu.com/3457-1/

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2018:3558

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-1000257.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:H/Au:N/C:N/I:P/A:P Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2017-1000257

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-1000257

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.70124
EPSS Score	0.00661
Published At	June 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.