VDB
CVE-2018-15501
CVE-2018-15501
PUBLISHED
In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS.
EPSS 2.92% · 86.7th percentile
Risk Scores
EPSS Score
2.92%
86.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | libgit2 | 0, 0.25.1+really0.24.6-1, 0.26.0+dfsg.1-1.1 |
| Ubuntu:Pro:16.04:LTS | libgit2 | 0.24.1-2, 0.23.1-1, 0.24.1-2ubuntu0.2 |
| Ubuntu:Pro:14.04:LTS | libgit2 | 0.19.0-2, 0.19.0-2ubuntu0.4, 0.19.0-2ubuntu0.4+esm1 |
Exploit Intelligence
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406 (nist-nvd)
- https://github.com/libgit2/libgit2/releases/tag/v0.27.4 (circl)
- https://www.pro-linux.de/sicherheit/2/44650/denial-of-service-in-libgit2.html (circl)
- https://bugzilla.suse.com/show_bug.cgi?id=1104641 (circl)
- [debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update (circl)
- https://github.com/libgit2/libgit2/releases/tag/v0.26.6 (circl)
- https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649 (circl)
- [debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update (circl)
Timeline
- Aug 18, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-15501 third-party-advisory
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406 third-party-advisory
- https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649 third-party-advisory
- https://bugzilla.suse.com/show_bug.cgi?id=1104641 third-party-advisory
- https://github.com/libgit2/libgit2/releases/tag/v0.26.6 third-party-advisory
- https://github.com/libgit2/libgit2/releases/tag/v0.27.4 third-party-advisory
- https://www.pro-linux.de/sicherheit/2/44650/denial-of-service-in-libgit2.html third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-15501 third-party-advisory