CVE-2018-1000005

curl: Out-of-bounds read in code handling HTTP/2 trailers

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

libcurl 7.49.0 hasta e incluyendo la versión 7.57.0 contiene una lectura fuera de límites en los trailers de manipulación de código HTTP/2. Se ha notificado (https://github.com/curl/curl/pull/2231) que la lectura de un trailer HTTP/2 podría dañar futuros trailers debido a que el tamaño almacenado era un byte menor de lo requerido. El problema es que el código que crea cabeceras como HTTP/1 de los datos del trailer HTTP/2 anexaron una cadena como ":" en el búfer objetivo, a pesar de que se había cambiado recientemente a ": " (se añadió un espacio después de los dos puntos), pero la siguiente matemática no se actualizó debidamente. Al acceder a ellos, los datos se leen fuera de límites y provocan o un cierre inesperado o que los datos (demasiado grandes) se pasen a escritura del cliente. Esto podría conducir a una situación de denegación de servicio (DoS) o a una divulgación de información si alguien tiene un servicio que devuelva ecos o que emplee los trailers para algo.

It was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that curl could accidentally leak authentication data. An attacker could possibly use this to get access to sensitive information. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-01-17 CVE Reserved
2018-01-24 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (8)

URL	Tag	Source
http://www.securitytracker.com/id/1040273	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://curl.haxx.se/docs/adv_2018-824a.html	2019-06-18
https://github.com/curl/curl/pull/2231	2019-06-18

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:1543	2019-06-18
https://usn.ubuntu.com/3554-1	2019-06-18
https://www.debian.org/security/2018/dsa-4098	2019-06-18
https://access.redhat.com/security/cve/CVE-2018-1000005	2019-06-18
https://bugzilla.redhat.com/show_bug.cgi?id=1536013	2019-06-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Haxx Search vendor "Haxx"		Libcurl Search vendor "Haxx" for product "Libcurl"				>= 7.49.0 <= 7.57.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.49.0 <= 7.57.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"		-		Affected