CVE-2024-13941 (GCVE-0-2024-13941)
Vulnerability from cvelistv5 – Published: 2025-04-01 21:00 – Updated: 2025-04-02 14:09
VLAI
Title
ouch-org ouch zip.rs convert_zip_date_time memory corruption
Summary
A vulnerability was found in ouch-org ouch up to 0.3.1. It has been classified as critical. This affects the function ouch::archive::zip::convert_zip_date_time of the file zip.rs. The manipulation of the argument month leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.4.0 is able to address this issue. It is recommended to upgrade the affected component.
Severity
5.3 (Medium)
5.3 (Medium)
CWE
- CWE-119 - Memory Corruption
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.302055 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.302055 | signaturepermissions-required |
| https://vuldb.com/?submit.524511 | third-party-advisory |
| https://github.com/ouch-org/ouch/issues/707 | issue-tracking |
| https://github.com/rustsec/advisory-db/pull/2084/files | issue-tracking |
| https://github.com/user-attachments/files/1676798… | exploit |
| https://github.com/ouch-org/ouch/releases/tag/0.4.0 | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13941",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T13:59:16.710875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T14:09:03.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ouch-org/ouch/issues/707"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ouch",
"vendor": "ouch-org",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yewan (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in ouch-org ouch up to 0.3.1. It has been classified as critical. This affects the function ouch::archive::zip::convert_zip_date_time of the file zip.rs. The manipulation of the argument month leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.4.0 is able to address this issue. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ouch-org ouch bis 0.3.1 ausgemacht. Sie wurde als kritisch eingestuft. Es betrifft die Funktion ouch::archive::zip::convert_zip_date_time der Datei zip.rs. Mittels Manipulieren des Arguments month mit unbekannten Daten kann eine memory corruption-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 0.4.0 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T21:00:12.923Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-302055 | ouch-org ouch zip.rs convert_zip_date_time memory corruption",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.302055"
},
{
"name": "VDB-302055 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.302055"
},
{
"name": "Submit #524511 | ouch-org ouch 0.3.1 Memory Corruption",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.524511"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/ouch-org/ouch/issues/707"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/rustsec/advisory-db/pull/2084/files"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/16767988/ouch.crash.report.docx"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ouch-org/ouch/releases/tag/0.4.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-03-30T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-03-30T20:04:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "ouch-org ouch zip.rs convert_zip_date_time memory corruption"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-13941",
"datePublished": "2025-04-01T21:00:12.923Z",
"dateReserved": "2025-03-30T17:58:15.284Z",
"dateUpdated": "2025-04-02T14:09:03.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-13941",
"date": "2026-05-31",
"epss": "0.00195",
"percentile": "0.41246"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-13941\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-04-01T21:15:41.807\",\"lastModified\":\"2025-04-02T14:58:07.527\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in ouch-org ouch up to 0.3.1. It has been classified as critical. This affects the function ouch::archive::zip::convert_zip_date_time of the file zip.rs. The manipulation of the argument month leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.4.0 is able to address this issue. It is recommended to upgrade the affected component.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en ouch-org ouch hasta la versi\u00f3n 0.3.1. Se ha clasificado como cr\u00edtica. Afecta a la funci\u00f3n ouch::archive::zip::convert_zip_date_time del archivo zip.rs. La manipulaci\u00f3n del argumento \\\"month\\\" provoca corrupci\u00f3n de memoria. El ataque debe abordarse localmente. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a la versi\u00f3n 0.4.0 puede solucionar este problema. Se recomienda actualizar el componente afectado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.8,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":4.3,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.1,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"references\":[{\"url\":\"https://github.com/ouch-org/ouch/issues/707\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/ouch-org/ouch/releases/tag/0.4.0\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/rustsec/advisory-db/pull/2084/files\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/user-attachments/files/16767988/ouch.crash.report.docx\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?ctiid.302055\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?id.302055\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://vuldb.com/?submit.524511\",\"source\":\"cna@vuldb.com\"},{\"url\":\"https://github.com/ouch-org/ouch/issues/707\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-13941\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-02T13:59:16.710875Z\"}}}], \"references\": [{\"url\": \"https://github.com/ouch-org/ouch/issues/707\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-02T14:00:57.109Z\"}}], \"cna\": {\"title\": \"ouch-org ouch zip.rs convert_zip_date_time memory corruption\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"yewan (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 4.3, \"vectorString\": \"AV:L/AC:L/Au:S/C:P/I:P/A:P\"}}], \"affected\": [{\"vendor\": \"ouch-org\", \"product\": \"ouch\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.3.0\"}, {\"status\": \"affected\", \"version\": \"0.3.1\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-08-27T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-03-30T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-03-30T20:04:20.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.302055\", \"name\": \"VDB-302055 | ouch-org ouch zip.rs convert_zip_date_time memory corruption\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.302055\", \"name\": \"VDB-302055 | CTI Indicators (IOB, IOC, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.524511\", \"name\": \"Submit #524511 | ouch-org ouch 0.3.1 Memory Corruption\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/ouch-org/ouch/issues/707\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/rustsec/advisory-db/pull/2084/files\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/user-attachments/files/16767988/ouch.crash.report.docx\", \"tags\": [\"exploit\"]}, {\"url\": \"https://github.com/ouch-org/ouch/releases/tag/0.4.0\", \"tags\": [\"patch\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in ouch-org ouch up to 0.3.1. It has been classified as critical. This affects the function ouch::archive::zip::convert_zip_date_time of the file zip.rs. The manipulation of the argument month leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.4.0 is able to address this issue. It is recommended to upgrade the affected component.\"}, {\"lang\": \"de\", \"value\": \"Es wurde eine Schwachstelle in ouch-org ouch bis 0.3.1 ausgemacht. Sie wurde als kritisch eingestuft. Es betrifft die Funktion ouch::archive::zip::convert_zip_date_time der Datei zip.rs. Mittels Manipulieren des Arguments month mit unbekannten Daten kann eine memory corruption-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \\u00f6ffentlichen Verf\\u00fcgung. Ein Aktualisieren auf die Version 0.4.0 vermag dieses Problem zu l\\u00f6sen. Als bestm\\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-119\", \"description\": \"Memory Corruption\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-04-01T21:00:12.923Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-13941\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-02T14:09:03.706Z\", \"dateReserved\": \"2025-03-30T17:58:15.284Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-04-01T21:00:12.923Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…