CVE-2018-12086 — Out-of-bounds Write in Wireshark

CWE-787 — Out-of-bounds Write CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data12 documents6 sources

Severity

7.5HIGHNVD

GHSA9.8OSV9.8

EPSS

25.7%

top 3.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wireshark Fasterxml Jackson-databind Debian Wireshark +5 more

Timeline

PublishedSep 14

Latest updateMay 24

Description

Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/wireshark< wireshark 2.6.4-1 (bookworm)

▶Debianwireshark/wireshark< 2.6.4-1+3

▶Ubuntufasterxml/jackson-databind< 2.4.2-3ubuntu0.1~esm2

▶NVDopcfoundation/unified_architecture-java1.03.343

▶NVDopcfoundation/unified_architecture_ansic1.03.340

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl↗2022-05-24

▶

OSV

jackson-databind vulnerabilities↗2021-03-15

▶

GHSA

High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua↗2018-10-16

▶

OSV

High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua↗2018-10-16

▶

OSV

CVE-2018-12086: Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests↗2018-09-14

▶

📋Vendor Advisories

Red Hat

codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities↗2019-09-30

▶

Red Hat

wireshark: OpcUa dissector crash↗2018-10-10

▶

Debian

CVE-2018-12086: wireshark - Buffer overflow in OPC UA applications allows remote attackers to trigger a stac...↗2018

▶

💬Community

Bugzilla

CVE-2018-12086 wireshark: OpcUa dissector crash↗2018-10-25

▶

Bugzilla

CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 wireshark: various flaws [fedora-all]↗2018-10-25

▶