CVE-2018-1000168 — HIGH (7.5)

Q: How severe is CVE-2018-1000168?

CVE-2018-1000168 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000168?

Check the references section above for vendor advisories and patch information. Affected products include: Nghttp2 Nghttp2, Nodejs Node.Js, Debian Debian Linux.

Vulnerability Description

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nghttp2	Nghttp2	>= 1.10.0, <= 1.31.0
Nodejs	Node.Js	>= 6.0.0, <= 6.8.1
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-20 CWE-476

References

http://www.securityfocus.com/bid/103952Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.htmlMailing ListThird Party Advisory
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/Vendor Advisory
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/Release NotesThird Party Advisory
http://www.securityfocus.com/bid/103952Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.htmlMailing ListThird Party Advisory
https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/Vendor Advisory
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/Release NotesThird Party Advisory

FAQ

What is CVE-2018-1000168?

CVE-2018-1000168 is a vulnerability with a CVSS score of 7.5 (HIGH). nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service....

How severe is CVE-2018-1000168?

CVE-2018-1000168 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000168?

Check the references section above for vendor advisories and patch information. Affected products include: Nghttp2 Nghttp2, Nodejs Node.Js, Debian Debian Linux.