CVE-2018-8754

The libevt_record_values_read_event() function in libevt_record_values.c in libevt before 2018-03-17 does not properly check for out-of-bounds values of user SID data size, strings size, or data size. NOTE: the vendor has disputed this as described in libyal/libevt issue 5 on GitHub
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
libevt_projectlibevt
𝑥
< 20180317
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libevt
bookworm
20200926-1
fixed
bullseye
20200926-1
fixed
sid
20200926-1.1
fixed
trixie
20200926-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libevt
noble
Fixed 20170120-2
released
mantic
Fixed 20170120-2
released
lunar
Fixed 20170120-2
released
kinetic
Fixed 20170120-2
released
jammy
Fixed 20170120-2
released
impish
Fixed 20170120-2
released
hirsute
Fixed 20170120-2
released
groovy
Fixed 20170120-2
released
focal
Fixed 20170120-2
released
eoan
Fixed 20170120-2
released
disco
Fixed 20170120-2
released
cosmic
Fixed 20170120-2
released
bionic
Fixed 20170120-2
released
artful
Fixed 20170120-1+deb9u1build0.17.10.1
released
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e
https://www.debian.org/security/2018/dsa-4160
https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925e
https://www.debian.org/security/2018/dsa-4160