Details of VAR-201810-0766

ID

VAR-201810-0766

CVE

CVE-2018-1000804

TITLE

contiki-ng Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-011260

DESCRIPTION

contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL (Antelope Query Language) database engine that can result in Attacker can perform Remote Code Execution on device using Contiki-NG operating system. This attack appear to be exploitable via Attacker must be able to run malicious AQL code (e.g. via SQL-like Injection attack). contiki-ng Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Contiki-NG is an open source cross-platform operating system for the next generation of IoT devices. AQL (Antelope Query Language) database engine is one of the AQL database engines. The AQL database engine in Contiki-NG 4 has a buffer overflow vulnerability

Trust: 2.25

sources: NVD: CVE-2018-1000804 // JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247 // VULMON: CVE-2018-1000804

AFFECTED PRODUCTS

vendor:	contiki ng	model:	contiki-ng	scope:	eq	version:	4.0	Trust: 1.6
vendor:	contiki ng	model:	contiki-ng	scope:	eq	version:	4	Trust: 0.8

sources: JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247 // NVD: CVE-2018-1000804

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-1000804
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-1000804
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201810-247
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2018-1000804
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-1000804
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2018-1000804
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2018-1000804
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2018-1000804 // JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247 // NVD: CVE-2018-1000804

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2018-011260 // NVD: CVE-2018-1000804

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-247

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201810-247

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-011260

PATCH

title:	Fix Antelope issues with memory checking #624	url:	https://github.com/contiki-ng/contiki-ng/pull/624	Trust: 0.8
title:	Stack based buffer overflow while parsing AQL (parsing next token) #594	url:	https://github.com/contiki-ng/contiki-ng/issues/594	Trust: 0.8
title:	Contiki-NG AQL Database Engine Buffer Error Vulnerability Fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85449	Trust: 0.6

sources: JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247

EXTERNAL IDS

db:	NVD	id:	CVE-2018-1000804	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-011260	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-247	Trust: 0.6
db:	VULMON	id:	CVE-2018-1000804	Trust: 0.1

sources: VULMON: CVE-2018-1000804 // JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247 // NVD: CVE-2018-1000804

REFERENCES

url:	https://github.com/contiki-ng/contiki-ng/pull/624	Trust: 1.7
url:	https://github.com/contiki-ng/contiki-ng/issues/594	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1000804	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-1000804	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2018-1000804 // JVNDB: JVNDB-2018-011260 // CNNVD: CNNVD-201810-247 // NVD: CVE-2018-1000804

SOURCES

db:	VULMON	id:	CVE-2018-1000804
db:	JVNDB	id:	JVNDB-2018-011260
db:	CNNVD	id:	CNNVD-201810-247
db:	NVD	id:	CVE-2018-1000804

LAST UPDATE DATE

2024-11-23T23:08:34.057000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2018-1000804	date:	2019-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-011260	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-247	date:	2019-09-30T00:00:00
db:	NVD	id:	CVE-2018-1000804	date:	2024-11-21T03:40:23.477

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2018-1000804	date:	2018-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2018-011260	date:	2019-01-09T00:00:00
db:	CNNVD	id:	CNNVD-201810-247	date:	2018-10-09T00:00:00
db:	NVD	id:	CVE-2018-1000804	date:	2018-10-08T15:29:00.527