CVE-2018-16839 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
redhat	CNA	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
haxx	curl	7.33.0 ≤ 𝑥 ≤ 7.61.1
debian	debian_linux	8.0
debian	debian_linux	9.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	18.10

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

curl

bullseye	7.74.0-1.3+deb11u13 fixed
bullseye (security)	7.74.0-1.3+deb11u11 fixed
bookworm	7.88.1-10+deb12u7 fixed
bookworm (security)	7.88.1-10+deb12u5 fixed
sid	8.10.1-2 fixed
trixie	8.10.1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

curl

cosmic	Fixed 7.61.0-1ubuntu2.2 released
bionic	Fixed 7.58.0-2ubuntu3.5 released
xenial	Fixed 7.47.0-1ubuntu2.11 released
trusty	Fixed 7.35.0-1ubuntu2.19 released

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://www.securitytracker.com/id/1042012

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16839

https://curl.haxx.se/docs/CVE-2018-16839.html

https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5

https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html

https://security.gentoo.org/glsa/201903-03

https://usn.ubuntu.com/3805-1/

https://www.debian.org/security/2018/dsa-4331

http://www.securitytracker.com/id/1042012

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16839

https://curl.haxx.se/docs/CVE-2018-16839.html

https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5

https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E

https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html

https://security.gentoo.org/glsa/201903-03

https://usn.ubuntu.com/3805-1/

https://www.debian.org/security/2018/dsa-4331