CVE-2019-8904

Name of the Vulnerable Software and Affected Versions file version 5.35

Description The issue is related to a stack-based buffer over-read in the do bid note function in readelf.c in libmagic.a. This is connected to file printf and file vprintf. Exploitation of the issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For file version 5.35, consider disabling the do bid note function as a temporary workaround until a patch is available. Restrict access to the readelf.c module to minimize the risk of exploitation. Avoid using the file printf and file vprintf functions in the affected API endpoint until the issue is resolved.