CVE-2013-6497
Description
clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ClamAV's clamscan with -a option crashes on crafted JavaScript files, leading to denial of service.
Vulnerability
ClamAV before version 0.98.5 contains a denial-of-service vulnerability in the clamscan utility when the -a (archive scanning) option is used. The bug is triggered by specially crafted JavaScript files, such as the jwplayer.js file used as a proof-of-concept [1][2][4]. The issue was discovered by Kurt Seifried and reported in 2013 [1].
Exploitation
An attacker can exploit this vulnerability by providing a malicious JavaScript file to a system running clamscan -a. No authentication is required; the attacker only needs to deliver the file via email, web download, or any other vector that triggers ClamAV scanning. The clamscan process will crash upon processing the crafted file [1][4].
Impact
Successful exploitation results in a denial of service (DoS) as the clamscan process crashes. The crash may disrupt antivirus scanning operations, potentially allowing other malicious files to go undetected. The Ubuntu security notice also notes the possibility of arbitrary code execution, though the primary impact described is a crash [4].
Mitigation
The vulnerability is fixed in ClamAV version 0.98.5, released on November 18, 2014 [1][2]. Users should upgrade to ClamAV 0.98.5 or later. Ubuntu provided updates in USN-2423-1 (for Ubuntu 14.10, 14.04 LTS, 12.04 LTS) and USN-2488-2 (for Ubuntu 10.04 LTS) [3][4]. No workaround is documented; upgrading is the recommended action.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- blog.clamav.net/2014/11/clamav-0985-has-been-released.htmlnvdPatchVendor Advisory
- bugzilla.clamav.net/show_bug.cginvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2014-November/144754.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2014-November/144979.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00006.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00007.htmlnvd
- secunia.com/advisories/59645nvd
- secunia.com/advisories/60150nvd
- www.mandriva.com/security/advisoriesnvd
- www.openwall.com/lists/oss-security/2014/11/19/2nvd
- www.openwall.com/lists/oss-security/2014/11/19/5nvd
- www.securityfocus.com/bid/71178nvd
- www.ubuntu.com/usn/USN-2423-1nvd
- www.ubuntu.com/usn/USN-2488-2nvd
- bugzilla.redhat.com/show_bug.cginvd
- exchange.xforce.ibmcloud.com/vulnerabilities/98804nvd
News mentions
0No linked articles in our index yet.