Out-of-bounds read in curl (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1000005 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
curl (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU10223
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1000005
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted
HTTP/2 trailer to trigger an out-of-bounds memory read error and cause
the application to crash or obtain potentially sensitive information from
services that echo back or otherwise use the trailers.
Install update from vendor's website.
Vulnerable software versionscurl (Alpine package): 7.57.0-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=6e70a2d69d0f187a8377382342251df152f07be5
https://git.alpinelinux.org/aports/commit/?id=c06e486361bfb260c36b661c47d03ff912df9539
https://git.alpinelinux.org/aports/commit/?id=c89963423f62b461c4ff91f4e1ccb9af756fe5d4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
