CVE-2019-12816

NameCVE-2019-12816
DescriptionModules.cpp in ZNC before 1.7.4-rc1 allows remote authenticated non-admin users to escalate privileges and execute arbitrary code by loading a module with a crafted name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1830-1, DSA-4463-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
znc (PTS)jessie1.4-2vulnerable
jessie (security)1.4-2+deb8u2fixed
stretch1.6.5-1+deb9u1vulnerable
stretch (security)1.6.5-1+deb9u2fixed
bullseye, buster1.7.2-3fixed
sid1.7.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zncsource(unstable)1.7.2-3medium
zncsourcejessie1.4-2+deb8u2mediumDLA-1830-1
zncsourcestretch1.6.5-1+deb9u2mediumDSA-4463-1

Notes

Versions affected: 0.098 - 1.7.3
https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311
Search for package or bug name: Reporting problems