Vulnerability Details CVE-2018-18409
A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.3%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.3
References
- https://github.com/simsong/tcpflow/issues/195
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6MP4YMCJX4ITOBFX427UMOA6E7ZLJDE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MN5FW6HKPDP7PI2IVNMFSQVIDSCQ5BOR/
- https://usn.ubuntu.com/3955-1/
- https://github.com/simsong/tcpflow/issues/195
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6MP4YMCJX4ITOBFX427UMOA6E7ZLJDE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MN5FW6HKPDP7PI2IVNMFSQVIDSCQ5BOR/
- https://usn.ubuntu.com/3955-1/
Products affected by CVE-2018-18409
-
cpe:2.3:a:digitalcorpora:tcpflow:1.5.0
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.10
-
cpe:2.3:o:fedoraproject:fedora:28
-
cpe:2.3:o:fedoraproject:fedora:29