{"id":"UBUNTU-CVE-2018-14645","details":"A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service.","modified":"2026-02-04T03:52:43.512229Z","published":"2018-09-21T00:00:00Z","related":["USN-3780-1"],"upstream":["CVE-2018-14645"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-14645"},{"type":"REPORT","url":"https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=b4e05a3daa30f657db01ec144a0e48850c48f813"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14645"},{"type":"REPORT","url":"https://www.mail-archive.com/haproxy@formilux.org/msg31253.html"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3780-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-14645"}],"affected":[{"package":{"name":"haproxy","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/haproxy@1.8.8-1ubuntu0.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.8-1ubuntu0.2"}]}],"versions":["1.7.9-1ubuntu1","1.7.9-1ubuntu2","1.8.4-1","1.8.7-1","1.8.8-1","1.8.8-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"haproxy","binary_version":"1.8.8-1ubuntu0.2"},{"binary_name":"vim-haproxy","binary_version":"1.8.8-1ubuntu0.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-14645.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}