9.8

CVE-2018-19115

keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.75% 0.885
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://bugzilla.suse.com/show_bug.cgi?id=1015141
Third Party Advisory
Issue Tracking
https://security.gentoo.org/glsa/201903-01
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0022
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1792
https://access.redhat.com/errata/RHSA-2019:1945
https://github.com/acassen/keepalived/pull/961
Patch
Third Party Advisory
https://github.com/acassen/keepalived/pull/961/commits/f28015671a4b04785859d1b4b1327b367b6a10e9
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00034.html
Third Party Advisory
Mailing List
https://usn.ubuntu.com/3995-1/
https://usn.ubuntu.com/3995-2/