#VU33038 Input validation error - CVE-2018-18898

Cybersecurity Help s.r.o.

Published: 2019-03-21 | Updated: 2020-08-03

Vulnerability identifier: #VU33038

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-18898

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.

Mitigation
Install update from vendor's website.

External links
https://bestpractical.com/download-page
https://lists.debian.org/debian-lts-announce/2020/02/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CPJVDT77ZPRU5Z2BEMZM7EBY6WZHUATZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YR46PPHBEM76DNN4DEQMAYIKLCO3TQU2/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for libemail-address-list-perl

Input validation error in perl-email-address-list (Alpine package)

Fedora 29 update for perl-Email-Address-List

Fedora 28 update for perl-Email-Address-List