{"id":"CVE-2017-5522","details":"Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6.2.4, 6.4.x before 6.4.5, and 7.0.x before 7.0.4 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving WFS get feature requests.","modified":"2026-04-11T03:11:40.417554Z","published":"2017-03-15T16:59:00.283Z","references":[{"type":"ADVISORY","url":"http://www.mapserver.org/development/changelog/changelog-6-2-4.html#changelog-6-2-4"},{"type":"ADVISORY","url":"http://www.mapserver.org/development/changelog/changelog-6-4.html#changelog-6-4-5"},{"type":"ADVISORY","url":"http://www.mapserver.org/development/changelog/changelog-7-0.html#changelog-7-0-4"},{"type":"ADVISORY","url":"https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3766"},{"type":"ADVISORY","url":"http://www.mapserver.org/development/changelog/changelog-6-0-6.html#changelog-6-0-6"},{"type":"FIX","url":"https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mapserver/mapserver","events":[{"introduced":"0"},{"last_affected":"a50744748797057f2c3a7509cd82e36dde6d9eb6"},{"introduced":"0"},{"last_affected":"d5e2cef47422e257fea58d6492ff8ab2c8f9c2da"},{"introduced":"0"},{"last_affected":"6c9d17a2ca188e552703d472de2b57f2ea7a98d4"},{"introduced":"0"},{"last_affected":"cb058f64f2500e7cc809d8a171c5d20dee3a3aac"},{"introduced":"0"},{"last_affected":"736493b16104b79e3b0b2e26f8cecf345f91fc3a"},{"introduced":"0"},{"last_affected":"00791ca448286592c609951db4ac531e34bbed46"},{"introduced":"0"},{"last_affected":"e15f0a64071a215a616c0164326384ee33f1d02b"},{"introduced":"0"},{"last_affected":"1f554956e8095623bffa18b6ad7ad14841ab15a9"},{"introduced":"0"},{"last_affected":"3b531be271a1a01701e92eb7029d1914df466872"},{"introduced":"0"},{"last_affected":"3a70778f80c4f93409ba08b1479199f6105971fd"},{"introduced":"0"},{"last_affected":"f455dfe7b1b327d90b26c002ac9b4a9bf995acff"},{"introduced":"0"},{"last_affected":"a098e546885dd7244ce6174ec11e6f0410879a41"},{"introduced":"0"},{"last_affected":"3af20733f10c59b3f08d4031d2c91c8776bd0e1e"},{"introduced":"0"},{"last_affected":"650cc30cd0c1df54d65493cf0781884d788fcd6d"},{"introduced":"0"},{"last_affected":"44dc7510cb67afa0292c56593e6052fdd1fce32f"},{"introduced":"0"},{"last_affected":"44ac0871f511e0678795b601cb5c69a52776e25f"},{"introduced":"0"},{"last_affected":"1882b7c0f5898c14661bcffe00665c3f365da1e2"},{"introduced":"0"},{"last_affected":"5449a6ad858659f3dfed34886237567b207cb85e"},{"introduced":"0"},{"last_affected":"3392ca15f3aee0806b8ca0cae056e3c9bbc704a9"},{"introduced":"0"},{"last_affected":"67831cb3dfda9a7103a0ea1bf5da67d351802ff0"},{"introduced":"0"},{"last_affected":"936518bac4b6ed449d9883c36f1fd01ebfd70c2d"},{"introduced":"0"},{"last_affected":"e91f7b28f391ddafe5ce1a5eb79cefe633c36eaf"},{"introduced":"0"},{"last_affected":"6ae2bc6915d73417f4fea78201d4f7087c25b3f1"},{"introduced":"0"},{"last_affected":"4ea78eb919147924bbf66d426a0bb8000f94c768"},{"introduced":"0"},{"last_affected":"0f9ece882a48a286f933a17aa40880073df93aac"},{"fixed":"e52a436c0e1c5e9f7ef13428dba83194a800f4df"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"0"},{"last_affected":"6.0.5"},{"introduced":"0"},{"last_affected":"6.2.0"},{"introduced":"0"},{"last_affected":"6.2.0-beta1"},{"introduced":"0"},{"last_affected":"6.2.0-beta2"},{"introduced":"0"},{"last_affected":"6.2.0-beta3"},{"introduced":"0"},{"last_affected":"6.2.0-beta4"},{"introduced":"0"},{"last_affected":"6.2.0-rc1"},{"introduced":"0"},{"last_affected":"6.2.1"},{"introduced":"0"},{"last_affected":"6.2.2"},{"introduced":"0"},{"last_affected":"6.2.3"},{"introduced":"0"},{"last_affected":"6.4.0"},{"introduced":"0"},{"last_affected":"6.4.0-beta1"},{"introduced":"0"},{"last_affected":"6.4.0-beta2"},{"introduced":"0"},{"last_affected":"6.4.0-rc1"},{"introduced":"0"},{"last_affected":"6.4.1"},{"introduced":"0"},{"last_affected":"6.4.2"},{"introduced":"0"},{"last_affected":"6.4.3"},{"introduced":"0"},{"last_affected":"6.4.4"},{"introduced":"0"},{"last_affected":"7.0.0"},{"introduced":"0"},{"last_affected":"7.0.0-beta1"},{"introduced":"0"},{"last_affected":"7.0.0-beta2"},{"introduced":"0"},{"last_affected":"7.0.1"},{"introduced":"0"},{"last_affected":"7.0.2"},{"introduced":"0"},{"last_affected":"7.0.3"}]}}],"versions":["6.0.3","rel-3-4","rel-3-5-0","rel-4-0-0","rel-4-10-0","rel-4-10-0-beta1","rel-4-10-0-beta2","rel-4-10-0-beta3","rel-4-10-0-rc1","rel-4-4-0","rel-4-4-0-beta1","rel-4-4-0-beta2","rel-4-4-0-beta3","rel-4-6-0","rel-4-6-0-beta1","rel-4-6-0-beta2","rel-4-6-0-beta3","rel-4-6-0-rc1","rel-4-8-0-beta1","rel-4-8-0-beta2","rel-4-8-0-beta3","rel-4-8-0-rc2","rel-6-0-3-0","rel-6-0-4","rel-6-0-5","rel-6-2-0","rel-6-2-0-beta1","rel-6-2-0-beta2","rel-6-2-0-beta3","rel-6-2-0-beta4","rel-6-2-0-rc1","rel-6-2-1","rel-6-2-2","rel-6-2-3","rel-6-4-0","rel-6-4-0-beta1","rel-6-4-0-beta2","rel-6-4-0-rc1","rel-6-4-1","rel-6-4-2","rel-6-4-3","rel-6-4-4","rel-7-0-0","rel-7-0-0-beta1","rel-7-0-0-beta2","rel-7-0-1","rel-7-0-2","rel-7-0-3","rel-8-0-0","rel-8-0-0-beta1","rel-8-0-0-beta2","rel-8-0-0-rc1","rel-8-0-0-rc2","styleObj"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5522.json","vanir_signatures":[{"id":"CVE-2017-5522-1b5eddec","signature_version":"v1","source":"https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df","target":{"function":"FLTGetIsLikeComparisonCommonExpression","file":"mapogcfiltercommon.c"},"signature_type":"Function","digest":{"length":1853,"function_hash":"78958092480897395008745378951998339160"},"deprecated":false},{"id":"CVE-2017-5522-773d9de8","signature_version":"v1","source":"https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df","target":{"file":"mapogcfiltercommon.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["134725315701098322164442788430346890063","30343050412733377884150706812979781181","1738462496375633196784044549106424378","75265047102005152013675957596411721348"]},"deprecated":false},{"id":"CVE-2017-5522-8388f5e9","signature_version":"v1","source":"https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df","target":{"function":"FLTGetIsLikeComparisonExpression","file":"mapogcfilter.c"},"signature_type":"Function","digest":{"length":1853,"function_hash":"179232170287543485425012009100138400529"},"deprecated":false},{"id":"CVE-2017-5522-91ce951d","signature_version":"v1","source":"https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df","target":{"file":"mapogcfilter.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["134725315701098322164442788430346890063","30343050412733377884150706812979781181","148764181183899427865026982802881782215","106135687746595787786735168921839244016"]},"deprecated":false}],"vanir_signatures_modified":"2026-04-11T03:11:40Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}