CVE-2018-5378

CWE-119Buffer OverflowCWE-125Out-of-bounds Read8 documents7 sources
Severity
5.9MEDIUM
EPSS
9.3%
top 7.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Quagga BgpdQuagga QuaggaCanonical Ubuntu Linux+1 more
Timeline
PublishedFeb 19
Latest updateMay 13

Description

The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

CVEListV5quagga/bgpdbpgd1.2.3
NVDquagga/quagga1.2.2

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10

🔴Vulnerability Details

3
GHSA
GHSA-529c-38p9-5c53: The Quagga BGP daemon (bgpd) prior to version 12022-05-13
CVEList
CVE-2018-5378: The Quagga BGP daemon (bgpd) prior to version 12018-02-19
OSV
quagga vulnerabilities2018-02-16

📋Vendor Advisories

2
Ubuntu
Quagga vulnerabilities2018-02-16
Red Hat
quagga: bgpd does not properly bounds check the data sent with a NOTIFY allowing leak of sensitive data or crash2018-02-15

💬Community

2
Bugzilla
CVE-2018-5378 quagga: bgpd does not properly bounds check the data sent with a NOTIFY allowing leak of sensitive data or crash [fedora-all]2018-02-16
Bugzilla
CVE-2018-5378 quagga: bgpd does not properly bounds check the data sent with a NOTIFY allowing leak of sensitive data or crash2018-02-07
CVE-2018-5378 (MEDIUM CVSS 5.9) | The Quagga BGP daemon (bgpd) prior | cvebase.io