Vulnerability CVE-2018-1000517

Vulnerability Name:

CVE-2018-1000517 (CCN-145619)

Assigned:

2018-04-08

Published:

2018-04-08

Updated:

2021-02-18

Summary:

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-120

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2018-1000517

Source: XF
Type: UNKNOWN
busybox-cve20181000517-bo(145619)

Source: CCN
Type: busybox GIT Repository
wget: check chunk length for overflowing off_t

Source: MISC
Type: Patch, Vendor Advisory
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180727 [SECURITY] [DLA 1445-1] busybox security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210215 [SECURITY] [DLA 2559-1] busybox security update

Source: UBUNTU
Type: Third Party Advisory
USN-3935-1

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-1000517

Vulnerable Configuration:

Configuration 1:

cpe:/a:busybox:busybox:*:*:*:*:*:*:*:* (Version < 1.29.0)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:busybox:busybox:-:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7456	P	busybox-1.35.0-150500.8.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:800	P	Security update for libjpeg-turbo (Moderate)	2022-10-04
oval:org.opensuse.security:def:3744	P	Security update for java-11-openjdk (Important) (in QA)	2022-07-22
oval:org.opensuse.security:def:3515	P	gstreamer-plugins-good-1.8.3-15.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3701	P	libvpx1-1.3.0-3.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94627	P	libbsd-devel-0.8.7-3.3.17 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:93142	P	(Important)	2022-06-10
oval:org.opensuse.security:def:93295	P	(Important)	2022-05-16
oval:org.opensuse.security:def:99753	P	(Moderate)	2022-03-04
oval:org.opensuse.security:def:119071	P	Security update for busybox (Important)	2022-02-14
oval:org.opensuse.security:def:101592	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118692	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:119379	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:118882	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:100064	P	(Moderate)	2022-01-20
oval:org.opensuse.security:def:119564	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:861	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:119189	P	Security update for busybox (Important)	2022-01-20
oval:org.opensuse.security:def:112032	P	busybox-1.35.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99228	P	(Important)	2022-01-17
oval:org.opensuse.security:def:10441	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105723	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9677	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92083	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69618	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96259	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92477	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102929	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:111864	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70854	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99825	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8727	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70016	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109595	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96210	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106515	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10445	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92875	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102890	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9117	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70567	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96340	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109556	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:93425	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102933	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9478	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70858	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70027	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109599	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:64833	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96220	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10714	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:105918	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9876	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92278	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102900	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9129	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70581	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99626	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:69817	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109566	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:73955	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106316	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10427	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:92676	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:103028	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:100136	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:8922	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109687	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96249	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:106804	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:10718	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9887	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:102910	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:9139	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:70585	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99033	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:109576	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:96200	P	Security update for busybox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:99160	P	(Important)	2021-11-11
oval:org.opensuse.security:def:111105	P	Security update for busybox (Important)	2021-10-31
oval:org.opensuse.security:def:106443	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92803	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:101340	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9049	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70495	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:108006	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73726	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10167	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9413	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64790	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105850	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9804	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92210	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99554	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69745	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:73912	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106244	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:10355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92604	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8854	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106730	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92989	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:98965	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105655	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:9605	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92015	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:70307	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:99355	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69553	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:117520	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:106045	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:92405	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:111767	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:8666	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:69944	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:64604	P	Security update for busybox (Important)	2021-10-27
oval:com.ubuntu.xenial:def:201810005170000000	V	CVE-2018-1000517 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-26
oval:com.ubuntu.artful:def:20181000517000	V	CVE-2018-1000517 on Ubuntu 17.10 (artful) - medium.	2018-06-26
oval:com.ubuntu.xenial:def:20181000517000	V	CVE-2018-1000517 on Ubuntu 16.04 LTS (xenial) - medium.	2018-06-26
oval:com.ubuntu.disco:def:201810005170000000	V	CVE-2018-1000517 on Ubuntu 19.04 (disco) - medium.	2018-06-26
oval:com.ubuntu.bionic:def:20181000517000	V	CVE-2018-1000517 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-26
oval:com.ubuntu.cosmic:def:201810005170000000	V	CVE-2018-1000517 on Ubuntu 18.10 (cosmic) - medium.	2018-06-26
oval:com.ubuntu.cosmic:def:20181000517000	V	CVE-2018-1000517 on Ubuntu 18.10 (cosmic) - medium.	2018-06-26
oval:com.ubuntu.bionic:def:201810005170000000	V	CVE-2018-1000517 on Ubuntu 18.04 LTS (bionic) - medium.	2018-06-26
oval:com.ubuntu.trusty:def:20181000517000	V	CVE-2018-1000517 on Ubuntu 14.04 LTS (trusty) - medium.	2018-06-26

BACK