CVE-2018-18820 — icecast2 - security update

Description

A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution.

How to fix CVE-2018-18820

To remediate CVE-2018-18820, upgrade the affected package to a fixed version below.

—upgrade to 2.4.4-r0 or later
—upgrade to 2.4.4-1 or later
—upgrade to 2.4.0-1.1+deb8u2 or later
—upgrade to 2.4.2-1+deb9u1 or later

Is CVE-2018-18820 being exploited?

Likely — EPSS is 62.7%, placing CVE-2018-18820 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

from 0, < 2.4.4-r0
from 0, < 2.4.4-1
from 0, < 2.4.0-1.1+deb8u2
from 0, < 2.4.2-1+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-18820
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-18820