Vulnerability Details : CVE-2018-14680
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.
Vulnerability category: Input validation
Products affected by CVE-2018-14680
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:cabextract:libmspack:0.6:alpha:*:*:*:*:*:*
- cpe:2.3:a:cabextract:libmspack:0.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:cabextract:libmspack:0.0.20060920:alpha:*:*:*:*:*:*
- cpe:2.3:a:cabextract:libmspack:0.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:cabextract:libmspack:0.3:alpha:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:a:cabextract_project:cabextract:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14680
1.58%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14680
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-14680
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-14680
-
https://usn.ubuntu.com/3728-1/
USN-3728-1: libmspack vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/08/msg00007.html
[SECURITY] [DLA-1460-1] libmspack security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3505
RHSA-2018:3505 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2018/07/26/1
oss-security - Fw: New cabextract 1.7 and libmspack 0.7 releaseMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3728-3/
USN-3728-3: ClamAV vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugs.debian.org/904801
#904801 - libmspack: CVE-2018-14680: libmspack now rejects blank CHM filenames - Debian Bug report logsIssue Tracking;Mailing List;Patch;Third Party Advisory
-
https://usn.ubuntu.com/3728-2/
USN-3728-2: ClamAV vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201903-20
cabextract, libmspack: Multiple vulnerabilities (GLSA 201903-20) — Gentoo securityThird Party Advisory
-
https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a
Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and · kyz/libmspack@72e70a9 · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3327
RHSA-2018:3327 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4260
Debian -- Security Information -- DSA-4260-1 libmspackThird Party Advisory
-
https://usn.ubuntu.com/3789-2/
USN-3789-2: ClamAV vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securitytracker.com/id/1041410
Clam AntiVirus Memory Errors in 'libmspack' Component Let Remote Users Deny Service and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
Jump to