{
  "threat_severity" : "Important",
  "public_date" : "2019-05-10T00:00:00Z",
  "bugzilla" : {
    "description" : "libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry",
    "id" : "1769979",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1769979"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.", "A use-after-free vulnerability was discovered in libarchive in the way it processes RAR archives when there is an error in one of the archive's entries. An application that accepts untrusted RAR archives may be vulnerable to this flaw, which could allow a remote attacker to cause a denial of service or to potentially execute code." ],
  "statement" : "This issue did not affect the versions of libarchive as shipped with Red Hat Enterprise Linux 6 as they did not include support for RAR archives.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-01-22T00:00:00Z",
    "advisory" : "RHSA-2020:0203",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "libarchive-0:3.1.2-14.el7_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-01-29T00:00:00Z",
    "advisory" : "RHSA-2020:0271",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libarchive-0:3.3.2-8.el8_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions",
    "release_date" : "2020-01-27T00:00:00Z",
    "advisory" : "RHSA-2020:0246",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.0",
    "package" : "libarchive-0:3.3.2-4.el8_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-18408\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18408" ],
  "name" : "CVE-2019-18408",
  "mitigation" : {
    "value" : "No known mitigation.",
    "lang" : "en:us"
  },
  "csaw" : false
}