Vulnerability Description
The libevt_record_values_read_event() function in libevt_record_values.c in libevt before 2018-03-17 does not properly check for out-of-bounds values of user SID data size, strings size, or data size. NOTE: the vendor has disputed this as described in libyal/libevt issue 5 on GitHub
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libevt Project | Libevt | < 20180317 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925ePatchVendor Advisory
- https://www.debian.org/security/2018/dsa-4160Third Party Advisory
- https://github.com/libyal/libevt/commit/9d2cc3ca0a1612a6b271abcacffc2e3eea42925ePatchVendor Advisory
- https://www.debian.org/security/2018/dsa-4160Third Party Advisory
FAQ
What is CVE-2018-8754?
CVE-2018-8754 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The libevt_record_values_read_event() function in libevt_record_values.c in libevt before 2018-03-17 does not properly check for out-of-bounds values of user SID data size, strings size, or data size....
How severe is CVE-2018-8754?
CVE-2018-8754 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-8754?
Check the references section above for vendor advisories and patch information. Affected products include: Libevt Project Libevt, Debian Debian Linux.