CVE-2018-1000168

HIGH7.5EPSS 3.4%

nghttp2 - security update

發布日:2018/5/8修改日:2025/12/3

也稱為:ALPINE-CVE-2018-1000168DEBIAN-CVE-2018-1000168

描述

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

受影響套件(3)

Alpine/nodejsfrom 0, < 8.11.3-r0
Debian/nghttp2from 0, < 1.31.1-1
Debian/nghttp2from 0, < 1.18.1-1+deb9u2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2018-1000168
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-1000168