CVE-2023-41038

EUVD-2023-45573
Firebird is a relational database. Versions 4.0.0 through 4.0.3 and version 5.0 beta1 are vulnerable to a server crash when a user uses a specific form of SET BIND statement. Any non-privileged user with minimum access to a server may type a statement with a long `CHAR` length, which causes the server to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117 contain fixes for this issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
firebirdsqlfirebird
4.0.0 ≤
𝑥
≤ 4.0.3
firebirdsqlfirebird
5.0:beta1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firebird3.0
bookworm
3.0.11.33637.ds4-2
fixed
bullseye
3.0.7.33374.ds4-2
fixed
sid
3.0.12.ds7-1
fixed
trixie
3.0.11.33703.ds4-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firebird2.5
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
trusty
ignored
xenial
needs-triage
firebird3.0
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
needs-triage
relational
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://firebirdsql.org/en/snapshot-builds
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6fv8-8rwr-9692
https://firebirdsql.org/en/snapshot-builds
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6fv8-8rwr-9692