CVE-2018-17937
published 2019-03-13CVE-2018-17937: gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to…
PriorityP351high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
2.66%
83.8th percentile
gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | gpsd | < gpsd 3.17-6 (bookworm) | gpsd 3.17-6 (bookworm) |
| gpsd_project | gpsd | >= 0 < 3.17-6 | 3.17-6 |
| gpsd_project | gpsd | >= 0 < 3.17-6 | 3.17-6 |
| gpsd_project | gpsd | >= 0 < 3.17-6 | 3.17-6 |
| gpsd_project | gpsd | >= 0 < 3.17-6 | 3.17-6 |
| gpsd_project | gpsd | 2.90 – 3.17 | — |
| ics-cert | gpsd_and_microjson | — | — |
| microjson_project | microjson | 1.0 – 1.3 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
gpsd Open Source Project
cisa_ics·2019-02-14·CVSS 8.8
[HIGH] gpsd Open Source Project
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
gpsd Open Source Project
Last RevisedFebruary 14, 2019
Alert CodeICSA-18-310-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 8.3
- Vendor: gpsd Open Source Project
- Equipment: gpsd, microjson
- Vulnerability: Stack-based Buffer Overflow
## 2. REPOSTED INFORMATION
This advisory was originally posted to the HSIN ICS-CERT library on November 6, 2018, and is being released to the NCCIC/ICS-CERT website.
## 3. RISK EVALUATION
Successful exploitation of this vulnerability could allow remote code execution, data exfiltration, or denial-of service via device crash.
## 4. TECHNICAL DETAILS
Debian
CVE-2018-17937: gpsd - gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source pro...
vendor_debian·2018·CVSS 8.8
CVE-2018-17937 [HIGH] CVE-2018-17937: gpsd - gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source pro...
gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
Scope: local
bookworm: resolved (fixed in 3.17-6)
bullseye: resolved (fixed in 3.17-6)
forky: resolved (fixed in 3.17-6)
sid: resolved (fixed in 3.17-6)
trixie: resolved (fixed in 3.17-6)
GHSA
GHSA-67xr-69p3-rj69: gpsd versions 2
ghsa_unreviewed·2022-05-13
CVE-2018-17937 [HIGH] CWE-121 GHSA-67xr-69p3-rj69: gpsd versions 2
gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
OSV
CVE-2018-17937: gpsd versions 2
osv·2019-03-13·CVSS 8.8
CVE-2018-17937 [HIGH] CVE-2018-17937: gpsd versions 2
gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/107029https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01https://lists.debian.org/debian-lts-announce/2019/03/msg00040.htmlhttps://lists.debian.org/debian-lts-announce/2021/10/msg00024.htmlhttps://security.gentoo.org/glsa/202009-17http://www.securityfocus.com/bid/107029https://ics-cert.us-cert.gov/advisories/ICSA-18-310-01https://lists.debian.org/debian-lts-announce/2019/03/msg00040.htmlhttps://lists.debian.org/debian-lts-announce/2021/10/msg00024.htmlhttps://security.gentoo.org/glsa/202009-17
2019-03-13
Published