CVE-2018-8754
Published: 18 March 2018
** DISPUTED ** The libevt_record_values_read_event() function in libevt_record_values.c in libevt before 2018-03-17 does not properly check for out-of-bounds values of user SID data size, strings size, or data size. NOTE: the vendor has disputed this as described in libyal/libevt issue 5 on GitHub.
Priority
Status
Package | Release | Status |
---|---|---|
libevt
Launchpad, Ubuntu, Debian |
artful |
Released
(20170120-1+deb9u1build0.17.10.1)
|
bionic |
Released
(20170120-2)
|
|
cosmic |
Released
(20170120-2)
|
|
disco |
Released
(20170120-2)
|
|
eoan |
Released
(20170120-2)
|
|
focal |
Released
(20170120-2)
|
|
groovy |
Released
(20170120-2)
|
|
hirsute |
Released
(20170120-2)
|
|
impish |
Released
(20170120-2)
|
|
jammy |
Released
(20170120-2)
|
|
kinetic |
Released
(20170120-2)
|
|
lunar |
Released
(20170120-2)
|
|
mantic |
Released
(20170120-2)
|
|
noble |
Released
(20170120-2)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(20180317-1, 20170120-1+deb9u1)
|
|
xenial |
Not vulnerable
(disputed)
|
|
Patches:
upstream: https://github.com/libyal/libevt/commit/444ca3ce7853538c577e0ec3f6146d2d65780734 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |