CVE-2018-1000168

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
nghttp2nghttp2
1.10.0 ≤
𝑥
≤ 1.31.0
nodejsnode.js
6.0.0 ≤
𝑥
≤ 6.8.1
nodejsnode.js
8.4.0 ≤
𝑥
≤ 8.17.0
nodejsnode.js
9.0.0 ≤
𝑥
≤ 9.11.2
nodejsnode.js
10.0.0 ≤
𝑥
< 10.4.1
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nghttp2
bullseye
1.43.0-1+deb11u1
fixed
jessie
not-affected
bullseye (security)
1.43.0-1+deb11u2
fixed
bookworm
1.52.0-1+deb12u1
fixed
bookworm (security)
1.52.0-1+deb12u1
fixed
sid
1.64.0-1
fixed
trixie
1.64.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nghttp2
bionic
Fixed 1.30.0-1ubuntu1
released
artful
ignored
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/103952
https://access.redhat.com/errata/RHSA-2019:0366
https://access.redhat.com/errata/RHSA-2019:0367
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
http://www.securityfocus.com/bid/103952
https://access.redhat.com/errata/RHSA-2019:0366
https://access.redhat.com/errata/RHSA-2019:0367
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/