What is the vulnerability ID?

The vulnerability ID is CVE-2023-4156.

What is the title of the vulnerability?

The title of the vulnerability is 'heap out of bound read in builtin.c'.

What is the severity of CVE-2023-4156?

The severity of CVE-2023-4156 is high with a severity value of 7.1.

What is the affected software for CVE-2023-4156?

The affected software for CVE-2023-4156 is gawk.

How can this vulnerability be fixed?

To fix CVE-2023-4156, update gawk to version 1:5.2.1-2 or apply the recommended patches.

Vulnerability/
CVE-2023-4156

high

7.1

CWE

125

19/6/2023

8/8/2023

25/9/2023

6/12/2024

CVE-2023-4156: Heap out of bound read in builtin.c

First published: Mon Jun 19 2023(Updated: )

A heap out of bound read issue exists in builtin.c of gawk prior to version 5.1.1. The array "the_args" takes an unsafe index "val", while it does not validate the index to ensure the index refers to a valid position in the array (e.g., exceedingly large or negative). The vulnerability can cause crash of the software and might be used by attackers to read sensitive information. <a href="https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00000.html">https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00000.html</a> <a href="https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html">https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html</a> <a href="https://fossies.org/linux/gawk/ChangeLog#470">https://fossies.org/linux/gawk/ChangeLog#470</a> (Line: 470-475)

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
ubuntu/gawk	<1:5.2.1-1	1:5.2.1-1
ubuntu/gawk	<1:4.1.4+dfsg-1ubuntu0.1~	1:4.1.4+dfsg-1ubuntu0.1~
ubuntu/gawk	<1:5.0.1+dfsg-1ubuntu0.1	1:5.0.1+dfsg-1ubuntu0.1
ubuntu/gawk	<1:5.1.0-1ubuntu0.1	1:5.1.0-1ubuntu0.1
ubuntu/gawk	<1:4.0.1+dfsg-2.1ubuntu2+	1:4.0.1+dfsg-2.1ubuntu2+
ubuntu/gawk	<1:4.1.3+dfsg-0.1ubuntu0.1~	1:4.1.3+dfsg-0.1ubuntu0.1~
debian/gawk	<=1:4.2.1+dfsg-1<=1:5.1.0-1	1:5.2.1-2
redhat/gawk	<5.1.1	5.1.1
GNU Gawk	<5.1.1
Red Hat Enterprise Linux	=6.0
Red Hat Enterprise Linux	=7.0
Fedora	=38

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

USN-6373-1

Frequently Asked Questions

What is the vulnerability ID?
The vulnerability ID is CVE-2023-4156.
What is the title of the vulnerability?
The title of the vulnerability is 'heap out of bound read in builtin.c'.
What is the severity of CVE-2023-4156?
The severity of CVE-2023-4156 is high with a severity value of 7.1.
What is the affected software for CVE-2023-4156?
The affected software for CVE-2023-4156 is gawk.
How can this vulnerability be fixed?
To fix CVE-2023-4156, update gawk to version 1:5.2.1-2 or apply the recommended patches.

agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/weakness
collector/usn-cve
source/Ubuntu
agent/software-canonical-lookup
collector/security-tracker-debian
source/Debian
agent/description
agent/author
agent/severity
agent/title
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-4156
agent/event
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
collector/nvd-api
package-manager/ubuntu
package-manager/debian
package-manager/redhat
vendor/gnu
canonical/gnu gawk
vendor/redhat
canonical/red hat enterprise linux
version/red hat enterprise linux/6.0
version/red hat enterprise linux/7.0
vendor/fedoraproject
canonical/fedora
version/fedora/38