CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
51.2%
A system driver in the Dokan Open Source File System contains a stack-based buffer overflow, which could allow an attacker to gain elevated privileges on the host machine.
CWE-121: Stack-based Buffer Overflow - CVE-2018-5410
Dokan, versions between 1.0.0.5000 and 1.2.0.1000, are vulnerable to a stack-based buffer overflow in the dokan1.sys driver. An attacker can create a device handle to the system driver and send arbitrary input that will trigger the vulnerability. This vulnerability was introduced in the 1.0.0.5000 version update.
An attacker could corrupt the kernel memory and elevate their system privileges to gain control of the system.
Update to the newest version
Dokan developers have released a new version, 1.2.1, that fixes this vulnerability by validating the user input.
Please see the update here.
741315
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 10, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: January 15, 2019
Affected
After Dokan released a version containing this fix, Keybase added the upgraded package version 1.2.1.2000 and added a check to not mount to older drivers, and included these in a hotfix update, version 2.12.3-20181221135356+d161abd500.
See Keybase security advisory 003 for more details: <https://keybase.io/docs/secadv/kb003>
Notified: December 20, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 20, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 20, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 19, 2018 Updated: December 20, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: December 20, 2018
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 18 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.2 | AV:L/AC:L/Au:S/C:C/I:P/A:N |
Temporal | 4.3 | E:F/RL:OF/RC:C |
Environmental | 4.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
Thanks to Parvez Anwar for reporting this vulnerability.
This document was written by Madison Oliver.
CVE IDs: | CVE-2018-5410 |
---|---|
Date Public: | 2018-12-21 Date First Published: |
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
51.2%