CVE-2018-10184
high-risk
Published 2018-05-09
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain.
Do I need to act?
!
25.1% chance of exploitation in next 30 days
EPSS score — higher than 75% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (5)
References (6)
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1372
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1372
53
/ 100
high-risk
Severity
26/34 · High
Exploitability
15/34 · Moderate
Exposure
12/34 · Low