CVE-2018-1000880

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html

http://www.securityfocus.com/bid/106324

https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909

https://github.com/libarchive/libarchive/pull/1105

https://github.com/libarchive/libarchive/pull/1105/commits/9c84b7426660c09c18cc349f6d70b5f8168b5680

https://lists.fedoraproject.org/archives/list/[email protected]/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/

https://lists.fedoraproject.org/archives/list/[email protected]/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/

https://usn.ubuntu.com/3859-1/

https://www.debian.org/security/2018/dsa-4360

Details

Source: MITRE

Published: 2018-12-20

Updated: 2020-08-24

Type: CWE-119

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (9 total)

IDNameProductFamilySeverity
126114Photon OS 3.0: Libarchive PHSA-2019-3.0-0015NessusPhotonOS Local Security Checks
high
124863Photon OS 1.0: Libarchive PHSA-2019-1.0-0227NessusPhotonOS Local Security Checks
high
124557Fedora 30 : libarchive (2019-fbe83d0e32)NessusFedora Local Security Checks
high
124051openSUSE Security Update : libarchive (openSUSE-2019-1196)NessusSuSE Local Security Checks
high
123766Fedora 28 : libarchive (2019-c595a93536)NessusFedora Local Security Checks
high
123636SUSE SLED15 / SLES15 Security Update : libarchive (SUSE-SU-2019:0831-1)NessusSuSE Local Security Checks
high
123098Fedora 29 : libarchive (2019-0233ec0ff3)NessusFedora Local Security Checks
high
121211Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libarchive vulnerabilities (USN-3859-1)NessusUbuntu Local Security Checks
high
119893Debian DSA-4360-1 : libarchive - security updateNessusDebian Local Security Checks
high