CVE-2018-18409

A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
digitalcorporatcpflow
1.5.0
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tcpflow
bullseye
1.5.2+repack1-1
fixed
bookworm
1.6.1-2
fixed
sid
1.6.1-3
fixed
trixie
1.6.1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tcpflow
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
Fixed 1.4.5+repack1-4ubuntu0.18.10.1
released
bionic
Fixed 1.4.5+repack1-4ubuntu0.18.04.1
released
xenial
Fixed 1.4.5+repack1-1ubuntu0.1
released
trusty
Fixed 1.4.4+repack1-2ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://github.com/simsong/tcpflow/issues/195
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6MP4YMCJX4ITOBFX427UMOA6E7ZLJDE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MN5FW6HKPDP7PI2IVNMFSQVIDSCQ5BOR/
https://usn.ubuntu.com/3955-1/
https://github.com/simsong/tcpflow/issues/195
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6MP4YMCJX4ITOBFX427UMOA6E7ZLJDE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MN5FW6HKPDP7PI2IVNMFSQVIDSCQ5BOR/
https://usn.ubuntu.com/3955-1/