CVE-2019-18218 — file - security update

Description

cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

How to fix CVE-2019-18218

To remediate CVE-2019-18218, upgrade the affected package to a fixed version below.

Alpine/file—upgrade to 5.37-r1 or later
—upgrade to 1:5.37-6 or later
—upgrade to 1:5.22+15-2+deb8u6 or later
—upgrade to 1:5.30-1+deb9u3 or later
—upgrade to 7.0.33-0+deb9u11 or later

Is CVE-2019-18218 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 5.37-r1
from 0, < 1:5.37-6
from 0, < 1:5.22+15-2+deb8u6
from 0, < 1:5.30-1+deb9u3
from 0, < 7.0.33-0+deb9u11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-18218
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-18218