CVE-2019-17420 — Incomplete Cleanup in Libhtp

CWE-459 — Incomplete Cleanup CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 52.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oisf Libhtp Suricata-ids Suricata

Timeline

PublishedOct 10

Latest updateMay 24

Description

In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an HTTP protocol parsing error causes the http_header signature to not alert on a response with a single \r\n ending.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDoisf/libhtp< 0.5.31

▶Debianoisf/libhtp< 1:0.5.31-1+3

▶NVDsuricata-ids/suricata4.1.4

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-9gx8-hhv8-hw56: In OISF LibHTP before 0↗2022-05-24

▶

OSV

CVE-2019-17420: In OISF LibHTP before 0↗2019-10-10

▶

CVEList

CVE-2019-17420: In OISF LibHTP before 0↗2019-10-09

▶

📋Vendor Advisories

Debian

CVE-2019-17420: libhtp - In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other products, an H...↗2019

▶