CVE-2018-1000222 - Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function tha

CVE-2018-1000222

Summary

Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5.

References

Vulnerable Configurations

cpe:2.3:a:libgd:libgd:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:libgd:libgd:2.2.5:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 31-03-2020 - 02:15)
Impact:
Exploitability:

CWE

CWE-415

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

confirm	https://github.com/libgd/libgd/issues/447
fedora	FEDORA-2020-e795f92d79
gentoo	GLSA-201903-18
mlist	[debian-lts-announce] 20190130 [SECURITY] [DLA 1651-1] libgd2 security update
ubuntu	USN-3755-1

Last major update

31-03-2020 - 02:15

Published

20-08-2018 - 20:29

Last modified

31-03-2020 - 02:15