CVE-2018-10888 - OpenCVE

A flaw was found in libgit2 before version 0.27.3. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Libgit2	Libgit2

Configuration 1 [-]

cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1598024
https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3
https://github.com/libgit2/libgit2/releases/tag/v0.27.3
https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-07-10T14:00:00Z

Updated: 2024-09-16T16:18:17.644Z

Reserved: 2018-05-09T00:00:00

Link: CVE-2018-10888

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-07-10T14:29:00.323

Modified: 2023-11-07T02:51:34.430

Link: CVE-2018-10888

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "libgit2", "vendor": "libgit2", "versions": [{"status": "affected", "version": "before version 0.27.3"}]}], "datePublic": "2018-07-09T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in libgit2 before version 0.27.3. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20->CWE-125", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-21T02:06:08", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3"}, {"name": "[debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libgit2/libgit2/releases/tag/v0.27.3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598024"}, {"name": "[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "DATE_PUBLIC": "2018-07-09T00:00:00", "ID": "CVE-2018-10888", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "libgit2", "version": {"version_data": [{"version_value": "before version 0.27.3"}]}}]}, "vendor_name": "libgit2"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in libgit2 before version 0.27.3. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20->CWE-125"}]}]}, "references": {"reference_data": [{"name": "https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3", "refsource": "CONFIRM", "url": "https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3"}, {"name": "[debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html"}, {"name": "https://github.com/libgit2/libgit2/releases/tag/v0.27.3", "refsource": "CONFIRM", "url": "https://github.com/libgit2/libgit2/releases/tag/v0.27.3"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1598024", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598024"}, {"name": "[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:54:34.822Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3"}, {"name": "[debian-lts-announce] 20180825 [SECURITY] [DLA 1477-1] libgit2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libgit2/libgit2/releases/tag/v0.27.3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598024"}, {"name": "[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-10888", "datePublished": "2018-07-10T14:00:00Z", "dateReserved": "2018-05-09T00:00:00", "dateUpdated": "2024-09-16T16:18:17.644Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*", "matchCriteriaId": "733BF26A-72FB-4851-928E-4F7759FEF8E2", "versionEndExcluding": "0.27.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libgit2 before version 0.27.3. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service."}, {"lang": "es", "value": "Se ha descubierto un problema en versiones anteriores a la 0.27.3 de libgit2. La falta de una comprobaci\u00f3n en la funci\u00f3n git_delta_apply en el archivo delta.c puede conducir a una lectura fuera de l\u00edmites mientras se lee un archivo delta binario. Un atacante podr\u00eda explotar este error para provocar una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2018-10888", "lastModified": "2023-11-07T02:51:34.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-10T14:29:00.323", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598024"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/commit/9844d38bed10e9ff17174434b3421b227ae710f3"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/releases/tag/v0.27.3"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}