Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is associated with program files inflate.C. This issue affects proton: before 1.6.16.
The vulnerability consists of writing data beyond the boundaries of allocated buffer memory in the inflate.C file, belonging to the Foundation module of the Poco library embedded in the proton project. A remote attacker, without authentication and without user interaction, can supply crafted input data that triggers improper memory write. Such out-of-bounds write errors can be exploited to overwrite critical data structures or execute arbitrary code.
An attacker can gain full control over the vulnerable system, including executing arbitrary code (RCE) and compromising the confidentiality, integrity, and availability of both the application itself and related systems.
Update timeplus-io proton to version 1.6.16 or later. Patch details are available in the vendor's pull request: https://github.com/timeplus-io/proton/pull/943
timeplus-io proton versions earlier than 1.6.16
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber