Lucene search

K

[email protected]NVD:CVE-2018-16845

HistoryNov 07, 2018 - 2:29 p.m.

CVE-2018-16845

2018-11-0714:29:00

CWE-400

CWE-835

[email protected]

web.nvd.nist.gov

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

6.1 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.6%

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

Affected configurations

NVD

Node

f5nginxRange1.0.7–1.0.15

OR

f5nginxRange1.1.3–1.15.5

Node

debiandebian_linuxMatch8.0

OR

debiandebian_linuxMatch9.0

Node

canonicalubuntu_linuxMatch14.04esm

OR

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch18.10

Node

opensuseleapMatch15.1

Node

applexcodeRange<13.0

References

lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

mailman.nginx.org/pipermail/nginx-announce/2018/000221.html

seclists.org/fulldisclosure/2021/Sep/36

www.securityfocus.com/bid/105868

www.securitytracker.com/id/1042039

access.redhat.com/errata/RHSA-2018:3652

access.redhat.com/errata/RHSA-2018:3653

access.redhat.com/errata/RHSA-2018:3680

access.redhat.com/errata/RHSA-2018:3681

bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16845

lists.debian.org/debian-lts-announce/2018/11/msg00010.html

support.apple.com/kb/HT212818

usn.ubuntu.com/3812-1/

www.debian.org/security/2018/dsa-4335

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

6.1 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.6%

Related for NVD:CVE-2018-16845

openvas13 veracode1 cvelist1 cve1 ubuntucve1 debian2 nessus20 debiancve1 redhatcve1 osv3 redhat4 nginx1 f51 alpinelinux1 prion1 photon6 mageia1 ubuntu1 oraclelinux2 suse2 altlinux1 freebsd1 ibm4 fedora2 symantec1 apple1