CVE-2018-1000168: Input Validation
First published: Mon Apr 09 2018(Updated: )
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nghttp2 | <1.31.1 | 1.31.1 |
| Nghttp2 Nghttp2 | >=1.10.0<=1.31.0 | |
| Nodejs Node.js | >=6.0.0<=6.8.1 | |
| Nodejs Node.js | >=8.4.0<=8.17.0 | |
| Nodejs Node.js | >=9.0.0<=9.11.2 | |
| Nodejs Node.js | >=10.0.0<10.4.1 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/103952
- https://access.redhat.com/errata/RHSA-2019:0366
- https://access.redhat.com/errata/RHSA-2019:0367
- https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
- https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
- https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1419700&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1419700&action=edit
- https://github.com/nodejs/node/commit/ce22d6f9178507c7a41b04ac4097b9ea902049e3#diff-8d67cefebb5e07f8f3cad3c90c402bb2
- http://www.openwall.com/lists/oss-security/2018/04/12/4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1566990
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1566989
- https://bugzilla.redhat.com/show_bug.cgi?id=1565035
Frequently Asked Questions
What is CVE-2018-1000168?
CVE-2018-1000168 is a vulnerability in nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 that contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling.
How severe is CVE-2018-1000168?
CVE-2018-1000168 has a severity rating of 7.5 (high).
Which software versions are affected by CVE-2018-1000168?
nghttp2 version >= 1.10.0 and <= v1.31.0, Node.js versions 6.0.0 to 6.8.1, 8.4.0 to 8.17.0, and 9.0.0 to 9.11.2, as well as Debian Linux version 9.0 are affected by CVE-2018-1000168.
How can the CVE-2018-1000168 vulnerability be exploited?
The CVE-2018-1000168 vulnerability can be exploited through a network client.
How can I fix CVE-2018-1000168?
To fix CVE-2018-1000168, you should update your nghttp2 package to version 1.31.1.
- collector/nvd-index
- agent/type
- agent/weakness
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1000168
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/nghttp2
- canonical/nghttp2 nghttp2
- version/nghttp2 nghttp2/1.10.0
- version/nghttp2 nghttp2/1.31.0
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/6.0.0
- version/nodejs node.js/6.8.1
- version/nodejs node.js/8.4.0
- version/nodejs node.js/8.17.0
- version/nodejs node.js/9.0.0
- version/nodejs node.js/9.11.2
- version/nodejs node.js/10.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/redhat