{
  "schema_version": "1.4.0",
  "id": "GHSA-cj8j-r7q8-xg4f",
  "modified": "2022-05-14T00:58:02Z",
  "published": "2022-05-14T00:58:02Z",
  "aliases": [
    "CVE-2018-1000005"
  ],
  "details": "libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
    }
  ],
  "affected": [],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/curl/curl/pull/2231"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1543"
    },
    {
      "type": "WEB",
      "url": "https://curl.haxx.se/docs/adv_2018-824a.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3554-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4098"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040273"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "severity": "CRITICAL",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-24T22:29:00Z"
  }
}