VDB
CVE-2018-10184
CVE-2018-10184
REJECTED
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain.
EPSS 25.06% · 96.3th percentile
Risk Scores
EPSS Score
25.06%
96.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | haproxy | 0, 1.7.9-1ubuntu1, 1.7.9-1ubuntu2 |
Exploit Intelligence
Timeline
- May 9, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
- May 3, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-10184 third-party-advisory
- http://git.haproxy.org/?p=haproxy.git;a=commit;h=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588 third-party-advisory
- http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-10184 third-party-advisory