CVE-2019-17266

Name of the Vulnerable Software and Affected Versions libsoup versions 2.65.1 through 2.68.1

Description The issue is caused by a heap-based buffer over-read in the soup ntlm parse challenge() function, located in soup-auth-ntlm.c, which fails to properly check the length of an NTLM message before performing a memcpy. This can allow a remote attacker to impact the integrity, confidentiality, and availability of protected information.

Recommendations For versions 2.65.1 through 2.68.1, consider disabling the soup ntlm parse challenge() function as a temporary workaround until a patch is available. Restrict access to NTLM authentication to minimize the risk of exploitation. Avoid using NTLM authentication in the affected libsoup versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.