CVE-2018-18944

Vulnerability

Artha ~ The Open Thesaurus version 1.0.3.0 contains a buffer overflow vulnerability. The issue resides in the query or search functionality, where a long string of characters (e.g., 256 'A' characters) can be supplied as input. The application fails to properly bounds-check the input, leading to a buffer overflow when processing the overly long string [1].

Exploitation

An attacker can trigger the vulnerability by providing a crafted payload consisting of a long string of characters (256 or more 'A's) as a search/query input. The attacker does not require authentication or special privileges; local access to the application's user interface and the ability to paste or type the malicious input into the search field are sufficient. The exploit writes the payload to a file (exp.txt) which is then presumably copied and pasted into the search box, causing an immediate crash [1].

Impact

Successful exploitation results in a denial of service (DoS) condition—the application crashes, becoming unresponsive. The proof-of-concept demonstrates that the overflow leads to a crash; no code execution or data exfiltration is demonstrated in the public reference [1]. The impact is limited to application availability.

Mitigation

No official patch or fixed version has been released for this vulnerability. Users are advised to avoid copying and pasting untrusted text into the search field as a workaround. The software is no longer actively maintained (sourceforge.net project appears inactive). The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].