CVE-2018-0202 — MEDIUM (5.5)

Q: How severe is CVE-2018-0202?

CVE-2018-0202 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-0202?

Check the references section above for vendor advisories and patch information. Affected products include: Clamav Clamav, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause an out-of-bounds read when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition. This concerns pdf_parse_array and pdf_parse_string in libclamav/pdfng.c. Cisco Bug IDs: CSCvh91380, CSCvh91400.

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Clamav	Clamav	<= 0.99.3
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	7.0

Related Weaknesses (CWE)

CWE-125

References

https://bugzilla.clamav.net/show_bug.cgi?id=11973Issue TrackingPatchThird Party Advisory
https://bugzilla.clamav.net/show_bug.cgi?id=11980Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00011.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201804-16Third Party Advisory
https://usn.ubuntu.com/3592-1/Third Party Advisory
https://usn.ubuntu.com/3592-2/Third Party Advisory
https://bugzilla.clamav.net/show_bug.cgi?id=11973Issue TrackingPatchThird Party Advisory
https://bugzilla.clamav.net/show_bug.cgi?id=11980Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/03/msg00011.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201804-16Third Party Advisory
https://usn.ubuntu.com/3592-1/Third Party Advisory
https://usn.ubuntu.com/3592-2/Third Party Advisory

FAQ

What is CVE-2018-0202?

CVE-2018-0202 is a vulnerability with a CVSS score of 5.5 (MEDIUM). clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is ...

How severe is CVE-2018-0202?

CVE-2018-0202 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-0202?

Check the references section above for vendor advisories and patch information. Affected products include: Clamav Clamav, Canonical Ubuntu Linux, Debian Debian Linux.