5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.058 Low
EPSS
Percentile
93.4%
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame
length was checked against the max_frame_size setting instead of being
checked against the bufsize. The max_frame_size only applies to outgoing
traffic and not to incoming, so if a large enough frame size is advertised
in the SETTINGS frame, a wrapped frame will be defragmented into a
temporary allocated buffer where the second fragment may overflow the heap
by up to 16 kB. It is very unlikely that this can be exploited for code
execution given that buffers are very short lived and their addresses not
realistically predictable in production, but the likelihood of an immediate
crash is absolutely certain.
git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28
git.haproxy.org/?p=haproxy.git;a=commit;h=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588
launchpad.net/bugs/cve/CVE-2018-10184
nvd.nist.gov/vuln/detail/CVE-2018-10184
security-tracker.debian.org/tracker/CVE-2018-10184
www.cve.org/CVERecord?id=CVE-2018-10184
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.058 Low
EPSS
Percentile
93.4%