CVE-2018-19837 — Uncontrolled Resource Consumption in Libsass

CWE-400 — Uncontrolled Resource Consumption7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 28.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libsass Sass-lang Libsass Debian Libsass

Timeline

PublishedDec 4

Latest updateMay 14

Description

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libsass< libsass 3.5.4+20180621~c0a6cf3-1 (bookworm)

▶NVDsass-lang/libsass< 3.5.5

▶Debianlibsass/libsass< 3.5.4+20180621~c0a6cf3-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-c774-r78g-7qj4: In LibSass prior to 3↗2022-05-14

▶

OSV

CVE-2018-19837: In LibSass prior to 3↗2018-12-04

▶

📋Vendor Advisories

Debian

CVE-2018-19837: libsass - In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) insi...↗2018

▶

💬Community

Bugzilla

CVE-2018-19837 libsass: Stack consumption in Sass::Eval::operator() resulting in a denial of service↗2019-01-31

▶

Bugzilla

CVE-2018-19797 CVE-2018-19826 CVE-2018-19827 CVE-2018-19837 CVE-2018-19838 CVE-2018-19839 CVE-2018-20190 libsass: various flaws [epel-7]↗2019-01-31

▶

Bugzilla

CVE-2018-19797 CVE-2018-19826 CVE-2018-19827 CVE-2018-19837 CVE-2018-19838 CVE-2018-19839 CVE-2018-20190 libsass: various flaws [fedora-all]↗2019-01-31

▶