CVE-2018-1000517

high-risk
Published 2018-06-26

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.

Do I need to act?

!
16.1% chance of exploitation in next 30 days
EPSS score — higher than 84% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 10a38174403c44760c1941424f4e540075e59696
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Debian Canonical Busybox

References (8)

Patch https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a7186...
Mailing List https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html
Third Party Advisory https://usn.ubuntu.com/3935-1/
Patch https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a7186...
Mailing List https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html
Third Party Advisory https://usn.ubuntu.com/3935-1/
59
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 13/34 · Low
Exposure 14/34 · Moderate