CVE-2014-2015
freeradius - security update
EPSS 0.88%
Description
Stack-based buffer overflow in the normify function in the rlm_pap module (modules/rlm_pap/rlm_pap.c) in FreeRADIUS 2.x, possibly 2.2.3 and earlier, and 3.x, possibly 3.0.1 and earlier, might allow attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password hash, as demonstrated by an SSHA hash.
How to fix CVE-2014-2015
To remediate CVE-2014-2015, upgrade the affected package to a fixed version below.
- Debian/freeradius—upgrade to 2.2.5+dfsg-0.1 or later
- Debian/freeradius—upgrade to 2.1.12+dfsg-1.2+deb7u1 or later
Is CVE-2014-2015 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.2.5+dfsg-0.1
- from 0, < 2.1.12+dfsg-1.2+deb7u1