Vulnerability CVE-2018-10888

Vulnerability Name:

CVE-2018-10888 (CCN-147432)

Assigned:

2018-07-10

Published:

2018-07-10

Updated:

2022-04-19

Summary:

A flaw was found in libgit2 before version 0.27.3. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-10888

Source: CCN
Type: Red Hat Bugzilla Bug 1598024
(CVE-2018-10888) CVE-2018-10888 libgit2: an improper input validation leads to an out-of-bound read in git_delta_apply, allowing to read beyond delta limits

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1598024

Source: XF
Type: UNKNOWN
libgit2-cve201810888-dos(147432)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3

Source: CCN
Type: libgit2 GIT Repository
0.27.3

Source: CONFIRM
Type: Patch, Release Notes, Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.27.3

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:libgit2:libgit2:*:*:*:*:*:*:*:* (Version < 0.27.3)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:libgit2:libgit2:0.26.0:-:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201810888	V	CVE-2018-10888	2023-06-22
oval:org.opensuse.security:def:8032	P	libgit2-1_3-1.3.0-150400.3.6.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3400	P	xdg-utils-20140630-6.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:1401	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important) (in QA)	2022-06-27
oval:org.opensuse.security:def:1402	P	Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Important) (in QA)	2022-06-27
oval:org.opensuse.security:def:95030	P	libgit2-1_3-1.3.0-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2936	P	gmp-devel-6.1.2-4.9.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2926	P	gc-devel-7.6.4-1.16 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1347	P	Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP3) (Important)	2022-05-10
oval:org.opensuse.security:def:1816	P	Security update for the Linux Kernel (Important)	2022-03-08
oval:org.opensuse.security:def:895	P	Security update for qemu (Low)	2022-01-25
oval:org.opensuse.security:def:10444	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:64639	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:10174	P	Security update for samba (Important)	2021-11-19
oval:org.opensuse.security:def:10351	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:10155	P	Security update for ffmpeg (Important)	2021-09-23
oval:org.opensuse.security:def:71339	P	libyaml-0-2-0.1.7-1.17 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71226	P	libX11-6-1.6.5-3.3.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:10338	P	Security update for java-11-openjdk (Important)	2021-09-03
oval:org.opensuse.security:def:10329	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:10321	P	Security update for libass (Important)	2021-08-20
oval:org.opensuse.security:def:10325	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:10140	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:10316	P	Security update for webkit2gtk3 (Important)	2021-08-17
oval:org.opensuse.security:def:47417	P	libtasn1-4.9-1.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47745	P	libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48117	P	libgnomesu-2.0.0-353.6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47552	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47416	P	libtag1-1.9.1-1.218 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47969	P	ceph-common-12.2.12+git.1568024032.02236657ca-2.39.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47431	P	libvte9-0.28.2-19.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47877	P	rpm-32bit-4.11.2-16.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48331	P	unrar-5.0.14-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:2286	P	sca-patterns-sle15-1.0.1-12.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2246	P	libapr-util1-dbd-mysql-1.6.1-16.43 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2281	P	rmt-server-2.6.8-1.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2242	P	grub2-x86_64-xen-2.04-20.4 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2275	P	python3-Twisted-19.10.0-3.2.6 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2288	P	squid-4.13-5.23.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2230	P	apache2-mod_wsgi-python3-4.5.18-2.27 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2255	P	libosinfo-devel-1.7.1-1.52 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63020	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100852	P	gssproxy-0.8.2-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100853	P	gstreamer-1.16.2-1.53 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101278	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1931	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72739	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64552	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:10274	P	Security update for the Linux Kernel (Important)	2021-06-09
oval:org.opensuse.security:def:48747	P	libtag1-32bit-1.9.1-1.265 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:66818	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:48573	P	libzip2-0.11.1-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11302	P	ft2demos-2.5.3-2.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48729	P	lcms-1.19-17.31 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48477	P	libXvnc1-1.6.0-12.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16511	P	libgit2-24-0.24.1-7.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:66819	P	Security update for gstreamer-plugins-bad (Important)	2021-06-08
oval:org.opensuse.security:def:124517	P	libgit2-24-0.24.1-7.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48415	P	fetchmail-6.3.26-12.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11280	P	cups-filters-1.0.58-2.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48873	P	libtag1-32bit-1.9.1-1.265 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48728	P	kernel-default-extra-3.12.49-11.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48542	P	libpython2_7-1_0-2.7.9-24.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48644	P	w3m-0.5.3-157.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10093	P	Security update for pam_radius (Moderate)	2021-06-08
oval:org.opensuse.security:def:10642	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:67986	P	Security update for the Linux Kernel (Live Patch 20 for SLE 15 SP1) (Important)	2021-05-25
oval:org.opensuse.security:def:10249	P	Security update for ceph (Important)	2021-05-04
oval:org.opensuse.security:def:66726	P	Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (Important)	2021-04-07
oval:org.opensuse.security:def:66727	P	Security update for bcc (Moderate)	2021-04-07
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70175	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:70174	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:72624	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2220	P	virt-install-2.2.1-8.38 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107519	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117077	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2211	P	rsyslog-module-gssapi-8.39.0-2.90 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62905	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1871	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89984	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72679	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2215	P	spice-gtk-devel-0.37-1.92 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62960	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1872	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103639	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3980	P	libgit2-24-0.24.1-7.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94139	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72680	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16816	P	libgit2-24-0.24.1-7.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62961	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107518	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117076	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94140	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:73392	P	Security update for python (Important)	2020-12-02
oval:org.opensuse.security:def:10025	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:73391	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:10553	P	libtidy-0_99-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49842	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10017	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49220	P	libpq5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49929	P	python2-salt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51309	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:49707	P	open-vm-tools-desktop on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17484	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:50033	P	sblim-sfcb on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17660	P	Recommended update for libksba (Moderate)	2020-12-01
oval:org.opensuse.security:def:10620	P	NetworkManager on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67886	P	libIlmImf-2_2-23 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49734	P	cups-ddk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10047	P	cyrus-sasl-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17837	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:10976	P	libapr-util1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10478	P	libXv-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17960	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:49843	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73509	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49076	P	cups-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49473	P	libvdpau-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49960	P	libshibsp-lite7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18624	P	Security update for libgit2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17926	P	Security update for ntp (Important)	2020-12-01
oval:org.opensuse.security:def:70069	P	libSDL-1_2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17603	P	Security update for libqt4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:49788	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17727	P	Security update for subversion (Moderate)	2020-12-01
oval:org.opensuse.security:def:51371	P	Security update for libgit2 (Important)	2020-12-01
oval:org.opensuse.security:def:17476	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:10459	P	krb5-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10629	P	augeas-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73510	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49864	P	python3-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10578	P	openexr-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49316	P	python3-python3-saml on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70070	P	libSDL2-2_0-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49797	P	pam-devel-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49789	P	libtidy-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17518	P	Security update for MozillaFirefox and mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:18598	P	Security update for qpdf (Moderate)	2020-12-01
oval:org.opensuse.security:def:17691	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:17938	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:10998	P	libgit2-24 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17869	P	Security update for xen (Important)	2020-12-01
oval:com.ubuntu.artful:def:201810888000	V	CVE-2018-10888 on Ubuntu 17.10 (artful) - medium.	2018-07-10
oval:com.ubuntu.bionic:def:201810888000	V	CVE-2018-10888 on Ubuntu 18.04 LTS (bionic) - medium.	2018-07-10
oval:com.ubuntu.bionic:def:2018108880000000	V	CVE-2018-10888 on Ubuntu 18.04 LTS (bionic) - medium.	2018-07-10
oval:com.ubuntu.trusty:def:201810888000	V	CVE-2018-10888 on Ubuntu 14.04 LTS (trusty) - medium.	2018-07-10
oval:com.ubuntu.xenial:def:2018108880000000	V	CVE-2018-10888 on Ubuntu 16.04 LTS (xenial) - medium.	2018-07-10
oval:com.ubuntu.xenial:def:201810888000	V	CVE-2018-10888 on Ubuntu 16.04 LTS (xenial) - medium.	2018-07-10

BACK