Vulnerability CVE-2018-8099

Vulnerability Name:

CVE-2018-8099 (CCN-140329)

Assigned:

2018-03-08

Published:

2018-03-08

Updated:

2022-04-25

Summary:

Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-415

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-8099

Source: XF
Type: UNKNOWN
libgit2-cve20188099-dos(140329)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe

Source: CCN
Type: libgit2 GIT Repository
Security Information

Source: CONFIRM
Type: Patch, Third Party Advisory
https://libgit2.github.com/security/

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:libgit2:libgit2:*:*:*:*:*:*:*:* (Version < 0.26.2)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:libgit2:libgit2:0.26.0:-:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20188099	V	CVE-2018-8099	2023-06-22
oval:org.opensuse.security:def:8032	P	libgit2-1_3-1.3.0-150400.3.6.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3400	P	xdg-utils-20140630-6.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:1402	P	Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP3) (Important) (in QA)	2022-06-27
oval:org.opensuse.security:def:1401	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important) (in QA)	2022-06-27
oval:org.opensuse.security:def:95030	P	libgit2-1_3-1.3.0-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1347	P	Security update for the Linux Kernel (Live Patch 2 for SLE 15 SP3) (Important)	2022-05-10
oval:org.opensuse.security:def:1301	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important)	2022-04-14
oval:org.opensuse.security:def:849	P	Security update for python (Moderate)	2022-04-01
oval:org.opensuse.security:def:1816	P	Security update for the Linux Kernel (Important)	2022-03-08
oval:org.opensuse.security:def:895	P	Security update for qemu (Low)	2022-01-25
oval:org.opensuse.security:def:10444	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:64639	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:10174	P	Security update for samba (Important)	2021-11-19
oval:org.opensuse.security:def:10351	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:10155	P	Security update for ffmpeg (Important)	2021-09-23
oval:org.opensuse.security:def:71339	P	libyaml-0-2-0.1.7-1.17 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71226	P	libX11-6-1.6.5-3.3.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:10338	P	Security update for java-11-openjdk (Important)	2021-09-03
oval:org.opensuse.security:def:10329	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:10321	P	Security update for libass (Important)	2021-08-20
oval:org.opensuse.security:def:10140	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:10325	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:10316	P	Security update for webkit2gtk3 (Important)	2021-08-17
oval:org.opensuse.security:def:48331	P	unrar-5.0.14-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47699	P	libcdio14-0.90-6.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47417	P	libtasn1-4.9-1.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47969	P	ceph-common-12.2.12+git.1568024032.02236657ca-2.39.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47385	P	libopenjp2-7-2.1.0-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47370	P	libldb1-1.1.29-1.13 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48071	P	libX11-6-1.6.2-12.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47745	P	libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47831	P	mutt-1.10.1-55.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47431	P	libvte9-0.28.2-19.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47416	P	libtag1-1.9.1-1.218 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48117	P	libgnomesu-2.0.0-353.6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47506	P	stunnel-5.00-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48285	P	python-numpy-1.8.0-5.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47877	P	rpm-32bit-4.11.2-16.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47371	P	libltdl7-2.4.2-16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47923	P	xfsprogs-4.15.0-1.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47552	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:100853	P	gstreamer-1.16.2-1.53 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72739	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101278	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63020	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100852	P	gssproxy-0.8.2-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1931	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64552	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:1769	P	Security update for ffmpeg (Important)	2021-07-14
oval:org.opensuse.security:def:10274	P	Security update for the Linux Kernel (Important)	2021-06-09
oval:org.opensuse.security:def:124517	P	libgit2-24-0.24.1-7.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48496	P	libgnomesu-2.0.0-353.6.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48369	P	apache2-mod_jk-1.2.40-5.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:72577	P	libgit2-26-0.26.3-1.26 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16511	P	libgit2-24-0.24.1-7.6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48644	P	w3m-0.5.3-157.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:66819	P	Security update for gstreamer-plugins-bad (Important)	2021-06-08
oval:org.opensuse.security:def:11302	P	ft2demos-2.5.3-2.11 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10093	P	Security update for pam_radius (Moderate)	2021-06-08
oval:org.opensuse.security:def:48542	P	libpython2_7-1_0-2.7.9-24.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48415	P	fetchmail-6.3.26-12.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48527	P	libneon27-0.30.0-3.64 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62858	P	libgit2-26-0.26.3-1.26 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11280	P	cups-filters-1.0.58-2.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48431	P	gnome-settings-daemon-3.20.1-40.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48573	P	libzip2-0.11.1-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48598	P	perl-Tk-804.031-3.76 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:66818	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:48477	P	libXvnc1-1.6.0-12.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10642	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:67986	P	Security update for the Linux Kernel (Live Patch 20 for SLE 15 SP1) (Important)	2021-05-25
oval:org.opensuse.security:def:10249	P	Security update for ceph (Important)	2021-05-04
oval:org.opensuse.security:def:66726	P	Security update for flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk (Important)	2021-04-07
oval:org.opensuse.security:def:66727	P	Security update for bcc (Moderate)	2021-04-07
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:70175	P	Security update for python3 (Important)	2020-12-23
oval:org.opensuse.security:def:70174	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:62960	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3980	P	libgit2-24-0.24.1-7.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94139	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1871	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103639	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62961	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72624	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16816	P	libgit2-24-0.24.1-7.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117076	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94140	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1872	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107518	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72679	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117077	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62905	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107519	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89984	P	libgit2-26-0.26.8-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72680	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:73392	P	Security update for python (Important)	2020-12-02
oval:org.opensuse.security:def:10025	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:73391	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:17484	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:17727	P	Security update for subversion (Moderate)	2020-12-01
oval:org.opensuse.security:def:49842	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49789	P	libtidy-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10553	P	libtidy-0_99-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17660	P	Recommended update for libksba (Moderate)	2020-12-01
oval:org.opensuse.security:def:17938	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:67886	P	libIlmImf-2_2-23 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49688	P	libplist++-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10976	P	libapr-util1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10459	P	krb5-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49843	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73509	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17518	P	Security update for MozillaFirefox and mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:17837	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:17476	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:18624	P	Security update for libgit2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:10620	P	NetworkManager on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70069	P	libSDL-1_2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10578	P	openexr-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49734	P	cups-ddk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17691	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:17960	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:73510	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10478	P	libXv-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49742	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17603	P	Security update for libqt4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17926	P	Security update for ntp (Important)	2020-12-01
oval:org.opensuse.security:def:70070	P	libSDL2-2_0-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10047	P	cyrus-sasl-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17869	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:49788	P	libgit2-26 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18598	P	Security update for qpdf (Moderate)	2020-12-01
oval:org.opensuse.security:def:10017	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10629	P	augeas-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10998	P	libgit2-24 on GA media (Moderate)	2020-12-01
oval:com.ubuntu.bionic:def:201880990000000	V	CVE-2018-8099 on Ubuntu 18.04 LTS (bionic) - low.	2018-03-14
oval:com.ubuntu.xenial:def:201880990000000	V	CVE-2018-8099 on Ubuntu 16.04 LTS (xenial) - low.	2018-03-14
oval:com.ubuntu.disco:def:201880990000000	V	CVE-2018-8099 on Ubuntu 19.04 (disco) - low.	2018-03-14
oval:com.ubuntu.artful:def:20188099000	V	CVE-2018-8099 on Ubuntu 17.10 (artful) - untriaged.	2018-03-13
oval:com.ubuntu.xenial:def:20188099000	V	CVE-2018-8099 on Ubuntu 16.04 LTS (xenial) - low.	2018-03-13
oval:com.ubuntu.bionic:def:20188099000	V	CVE-2018-8099 on Ubuntu 18.04 LTS (bionic) - low.	2018-03-13
oval:com.ubuntu.cosmic:def:20188099000	V	CVE-2018-8099 on Ubuntu 18.10 (cosmic) - low.	2018-03-13
oval:com.ubuntu.cosmic:def:201880990000000	V	CVE-2018-8099 on Ubuntu 18.10 (cosmic) - low.	2018-03-13
oval:com.ubuntu.trusty:def:20188099000	V	CVE-2018-8099 on Ubuntu 14.04 LTS (trusty) - low.	2018-03-13

BACK