CVE-2018-18409 — Out-of-bounds Read in Tcpflow

CWE-125 — Out-of-bounds Read9 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 44.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digitalcorpora Tcpflow Canonical Ubuntu Linux Fedoraproject Fedora

Timeline

PublishedOct 17

Latest updateMay 14

Description

A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶Debiandigitalcorpora/tcpflow< 1.5.2+repack1-1+3

▶NVDdigitalcorpora/tcpflow1.5.0

Also affects: Fedora 28, 29, Ubuntu Linux 16.04, 18.04, 18.10

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xhp-rfv2-8345: A stack-based buffer over-read exists in setbit() at iptree↗2022-05-14

▶

CVEList

CVE-2018-18409: A stack-based buffer over-read exists in setbit() at iptree↗2018-10-17

▶

OSV

CVE-2018-18409: A stack-based buffer over-read exists in setbit() at iptree↗2018-10-17

▶

📋Vendor Advisories

Ubuntu

tcpflow vulnerabilities↗2019-04-24

▶

Debian

CVE-2018-18409: tcpflow - A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, ...↗2018

▶

💬Community

Bugzilla

CVE-2018-18409 tcpflow: stack-based buffer over-read exists in setbit() at iptree.h [fedora-all]↗2018-11-05

▶

Bugzilla

CVE-2018-18409 tcpflow: stack-based buffer over-read exists in setbit() at iptree.h↗2018-11-05

▶

Bugzilla

CVE-2018-18409 tcpflow: stack-based buffer over-read exists in setbit() at iptree.h [epel-7]↗2018-11-05

▶