CVE-2018-1000301

curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Oracle	Enterprise Manager Ops Center Peoplesoft Enterprise Peopletools Communications Webrtc Session Controller
Canonical	Ubuntu Linux
Debian	Debian Linux
Redhat	Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Server
Haxx	Curl

Configuration 1 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::

Configuration 3 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 5 [-]

OR	cpe:2.3:a:oracle:communications_webrtc_session_controller::::::::
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*

References

Link	Resource
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch
http://www.securityfocus.com/bid/104225	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040931	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHBA-2019:0327	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3157	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3558	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0544
https://access.redhat.com/errata/RHSA-2020:0594
https://curl.haxx.se/docs/adv_2018-b138.html	Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/05/msg00010.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201806-05	Third Party Advisory
https://usn.ubuntu.com/3598-2/	Third Party Advisory
https://usn.ubuntu.com/3648-1/	Third Party Advisory
https://www.debian.org/security/2018/dsa-4202	Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html