CVE-2018-1000005
curl: Out-of-bounds read in code handling HTTP/2 trailers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
libcurl 7.49.0 hasta e incluyendo la versión 7.57.0 contiene una lectura fuera de límites en los trailers de manipulación de código HTTP/2. Se ha notificado (https://github.com/curl/curl/pull/2231) que la lectura de un trailer HTTP/2 podría dañar futuros trailers debido a que el tamaño almacenado era un byte menor de lo requerido. El problema es que el código que crea cabeceras como HTTP/1 de los datos del trailer HTTP/2 anexaron una cadena como ":" en el búfer objetivo, a pesar de que se había cambiado recientemente a ": " (se añadió un espacio después de los dos puntos), pero la siguiente matemática no se actualizó debidamente. Al acceder a ellos, los datos se leen fuera de límites y provocan o un cierre inesperado o que los datos (demasiado grandes) se pasen a escritura del cliente. Esto podría conducir a una situación de denegación de servicio (DoS) o a una divulgación de información si alguien tiene un servicio que devuelva ecos o que emplee los trailers para algo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-01-17 CVE Reserved
- 2018-01-24 CVE Published
- 2024-01-04 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securitytracker.com/id/1040273 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://curl.haxx.se/docs/adv_2018-824a.html | 2019-06-18 | |
| https://github.com/curl/curl/pull/2231 | 2019-06-18 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:1543 | 2019-06-18 | |
| https://usn.ubuntu.com/3554-1 | 2019-06-18 | |
| https://www.debian.org/security/2018/dsa-4098 | 2019-06-18 | |
| https://access.redhat.com/security/cve/CVE-2018-1000005 | 2019-06-18 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1536013 | 2019-06-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | >= 7.49.0 <= 7.57.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.49.0 <= 7.57.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10" | - |
Affected
| ||||||