CVE-2018-5378

The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
certccCNA
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
quaggaquagga
𝑥
≤ 1.2.2
debiandebian_linux
8.0
debiandebian_linux
9.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
quagga
artful
Fixed 1.1.1-3ubuntu0.2
released
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
http://savannah.nongnu.org/forum/forum.php?forum_id=9095
http://www.kb.cert.org/vuls/id/940439
https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt
https://security.gentoo.org/glsa/201804-17
https://usn.ubuntu.com/3573-1/
https://www.debian.org/security/2018/dsa-4115
http://savannah.nongnu.org/forum/forum.php?forum_id=9095
http://www.kb.cert.org/vuls/id/940439
https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.txt
https://security.gentoo.org/glsa/201804-17
https://usn.ubuntu.com/3573-1/
https://www.debian.org/security/2018/dsa-4115