{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-09T00:00:00", "descriptions": [{"lang": "en", "value": "In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-28T14:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "103050", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103050"}, {"name": "USN-3699-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3699-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/gdraheim/zziplib/issues/22"}, {"name": "[debian-lts-announce] 20180220 [SECURITY] [DLA 1287-1] zziplib security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00022.html"}, {"name": "[debian-lts-announce] 20200628 [SECURITY] [DLA 2258-1] zziplib security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00029.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-6869", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "103050", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103050"}, {"name": "USN-3699-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3699-1/"}, {"name": "https://github.com/gdraheim/zziplib/issues/22", "refsource": "MISC", "url": "https://github.com/gdraheim/zziplib/issues/22"}, {"name": "[debian-lts-announce] 20180220 [SECURITY] [DLA 1287-1] zziplib security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00022.html"}, {"name": "[debian-lts-announce] 20200628 [SECURITY] [DLA 2258-1] zziplib security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00029.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:17:16.648Z"}, "title": "CVE Program Container", "references": [{"name": "103050", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103050"}, {"name": "USN-3699-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3699-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gdraheim/zziplib/issues/22"}, {"name": "[debian-lts-announce] 20180220 [SECURITY] [DLA 1287-1] zziplib security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00022.html"}, {"name": "[debian-lts-announce] 20200628 [SECURITY] [DLA 2258-1] zziplib security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00029.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-6869", "datePublished": "2018-02-09T06:00:00", "dateReserved": "2018-02-09T00:00:00", "dateUpdated": "2024-08-05T06:17:16.648Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zziplib_project:zziplib:0.13.68:*:*:*:*:*:*:*", "matchCriteriaId": "DAE8C11C-3F5D-4CDD-AA3F-7BCEB7DDDA19", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file."}, {"lang": "es", "value": "En ZZIPlib 0.13.68, hay una asignaci\u00f3n de memoria no controlada y un cierre inesperado en la funci\u00f3n __zzip_parse_root_directory en zzip/zip.c. Los atacantes remotos pueden aprovechar esta vulnerabilidad para provocar una denegaci\u00f3n de servicio (DoS) mediante un archivo zip manipulado."}], "id": "CVE-2018-6869", "lastModified": "2024-11-21T04:11:19.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-09T06:29:00.257", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103050"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/gdraheim/zziplib/issues/22"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00022.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00029.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3699-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103050"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/gdraheim/zziplib/issues/22"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00029.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3699-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "zziplib: uncontrolled memory allocation in __zzip_parse_root_directory in zzip/zip.c", "id": "1543941", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1543941"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.", "An uncontrolled memory allocation was found in ZZIPlib that could lead to a crash in the __zzip_parse_root_directory function of zzip/zip.c if the package is compiled with Address Sanitizer. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file."], "name": "CVE-2018-6869", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "zziplib", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "zziplib", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-6869\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-6869"], "statement": "Red Hat Product Security has rated this issue as having security impact of Low. This issue does not affect the versions of ZZIPlib as shipped in Red Hat Enterprise Linux 7, unless the package is recompiled with Address Sanitizer. The flaw is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Low"}