Lucene search

Ubuntu.comUB:CVE-2018-19217

HistoryNov 12, 2018 - 12:00 a.m.

CVE-2018-19217

2018-11-1200:00:00

ubuntu.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.9%

JSON

DISPUTED In ncurses, possibly a 6.x version, there is a NULL pointer
dereference at the function _nc_name_match that will lead to a denial of
service attack. NOTE: the original report stated version 6.1, but the issue
did not reproduce for that version according to the maintainer or a
reliable third-party.

Notes

Author	Note
ccdm94	for xenial and trusty the issue reproduces for the release version of the package with the provided POC file. However, patches applied to fix the CVE group CVE-2017-137xx and the CVE group CVE-2017-1068x have most likely fixed the currently considered vulnerability as well, with the reproducer no longer causing a segmentation fault for versions of the package that include these patches. This means that within the fixes present in the already applied patches was the fix for this CVE as well.

Author

Note

ccdm94

for xenial and trusty the issue reproduces for the release version of the package with the provided POC file. However, patches applied to fix the CVE group CVE-2017-137xx and the CVE group CVE-2017-1068x have most likely fixed the currently considered vulnerability as well, with the reproducer no longer causing a segmentation fault for versions of the package that include these patches. This means that within the fixes present in the already applied patches was the fix for this CVE as well.

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchncurses< 5.9+20140118-1ubuntu1+esm1UNKNOWN
ubuntu16.04noarchncurses< 6.0+20160213-1ubuntu1+esm1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	ncurses	< 5.9+20140118-1ubuntu1+esm1	UNKNOWN
ubuntu	16.04	noarch	ncurses	< 6.0+20160213-1ubuntu1+esm1	UNKNOWN

References

bugzilla.redhat.com/show_bug.cgi?id=1643753

launchpad.net/bugs/cve/CVE-2018-19217

lists.gnu.org/archive/html/bug-ncurses/2019-04/msg00020.html

nvd.nist.gov/vuln/detail/CVE-2018-19217

security-tracker.debian.org/tracker/CVE-2018-19217

www.cve.org/CVERecord?id=CVE-2018-19217

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.9%

JSON

Related for UB:CVE-2018-19217