Lucene search

[email protected]CVE-2018-1000221

HistoryOct 03, 2022 - 4:21 p.m.

CVE-2018-1000221

2022-10-0316:21:59

CWE-119

[email protected]

web.nvd.nist.gov

pkgconf

version 1.5.0

version 1.5.2

buffer overflow

dequote()

.pc file

nvd

cve-2018-1000221

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.0%

JSON

pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerability in dequote() that can result in dequote() function returns 1-byte allocation if initial length is 0, leading to buffer overflow. This attack appear to be exploitable via specially crafted .pc file. This vulnerability appears to have been fixed in 1.5.3.

Affected configurations

NVD

Node

pkgconfpkgconfRange1.5.0–1.5.2

CPENameOperatorVersion
pkgconf:pkgconfpkgconfle1.5.2

CPE	Name	Operator	Version
pkgconf:pkgconf	pkgconf	le	1.5.2

References

git.dereferenced.org/pkgconf/pkgconf/pulls/3

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.0%

JSON

Related for CVE-2018-1000221

debiancve1 prion1 redhatcve1 nvd1 cvelist1 ubuntucve1 osv1