Vulnerability CVE-2018-0361


Published: 2018-07-16

Description:
ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file.

Type:

CWE-20

(Improper Input Validation)

Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: Clamav
Product: Clamav 
Version:
0.99.4
0.99.3
0.99.2
0.99.1
0.99.0
0.98.7
0.98.6
0.98.5
0.98.4
0.98.3
0.98.1
0.98.0
0.97.8
0.97.7
0.97.6
0.97.5
0.97.4
0.97.3
0.97.2
0.97.1
0.97.0
0.97
0.96.5
0.96.4
0.96.3
0.96.2
0.96.1
0.96.0
0.96
0.95.3
0.95.2
0.95.1
0.95.0
0.95
0.94.2
0.94.1
0.94.0
0.94
0.93.3
0.93.2
0.93.1
0.93.0
0.93
0.92_p0
0.92.1
0.92.0
0.92
0.91.2_p0
0.91.2
0.91.1
0.91.0
0.91
0.90.3_p1
0.90.3_p0
0.90.3
0.90.2_p0
0.90.2
0.90.1_p0
0.90.1
0.90.0
0.90
0.88.7_p1
0.88.7_p0
0.88.7
0.88.6
0.88.5
0.88.4
0.88.3
0.88.2
0.88.1
0.88.0
0.88
0.87.1
0.87.0
0.87
0.86.2
0.86.1
0.86.0
0.86
0.85.1
0.85.0
0.85
0.84.0
0.84
0.83.0
0.83
0.82.0
0.82
0.81.0
0.81
0.80_rc
0.80.0
0.80
0.75.1
0.75.0
0.75
0.74.0
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.securitytracker.com/id/1041367
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
https://lists.debian.org/debian-lts-announce/2018/08/msg00020.html
https://security.gentoo.org/glsa/201904-12

Related CVE
CVE-2019-1798
A vulnerability in the Portable Executable (PE) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. T...
CVE-2019-1788
A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected ...
CVE-2019-1787
A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected de...
CVE-2019-1786
A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and 0.101.0 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected ...
CVE-2019-1785
A vulnerability in the RAR file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and 0.101.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is...
CVE-2018-15378
A vulnerability in ClamAV versions prior to 0.100.2 could allow an attacker to cause a denial of service (DoS) condition. The vulnerability is due to an error related to the MEW unpacker within the "unmew11()" function (libclamav/mew.c), which can be...
CVE-2018-0360
ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c.
CVE-2018-0202
clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanis...

Copyright 2019, cxsecurity.com

 

Back to Top