CVE-2018-19198

EUVD-2018-10907
An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
uriparser_projecturiparser
𝑥
< 0.9.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
uriparser
bookworm
0.9.7+dfsg-2
fixed
bullseye
0.9.4+dfsg-1+deb11u1
fixed
bullseye (security)
0.9.4+dfsg-1+deb11u1
fixed
sid
0.9.8+dfsg-1
fixed
trixie
0.9.8+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
uriparser
bionic
Fixed 0.8.4-1+deb9u2build0.18.04.1
released
cosmic
ignored
disco
Fixed 0.9.0-1
released
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
trusty
Fixed 0.7.5-1ubuntu2+esm1
released
xenial
Fixed 0.8.4-1ubuntu0.16.04.1~esm1
released
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2019:2280
https://github.com/uriparser/uriparser/blob/uriparser-0.9.0/ChangeLog
https://github.com/uriparser/uriparser/commit/864f5d4c127def386dd5cc926ad96934b297f04e
https://lists.debian.org/debian-lts-announce/2018/11/msg00019.html
https://access.redhat.com/errata/RHSA-2019:2280
https://github.com/uriparser/uriparser/blob/uriparser-0.9.0/ChangeLog
https://github.com/uriparser/uriparser/commit/864f5d4c127def386dd5cc926ad96934b297f04e
https://lists.debian.org/debian-lts-announce/2018/11/msg00019.html