CVE-2021-3466

CWE-120Classic Buffer Overflow6 documents6 sources
Severity
9.8CRITICAL
EPSS
0.4%
top 38.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fedoraproject FedoraGNU LibmicrohttpdRedhat Enterprise Linux
Timeline
PublishedMar 25
Latest updateMay 24

Description

A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Debianlibmicrohttpd< 0.9.71-1+3
CVEListV5libmicrohttpdlibmicrohttpd 0.9.70
NVDgnu/libmicrohttpd0.9.70

Also affects: Fedora 32, 33, 34, Enterprise Linux 6.0, 7.0, 8.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-vjm5-89cg-7hj8: A flaw was found in libmicrohttpd in versions before 02022-05-24
CVEList
CVE-2021-3466: A flaw was found in libmicrohttpd2021-03-25
OSV
CVE-2021-3466: A flaw was found in libmicrohttpd2021-03-25

📋Vendor Advisories

2
Red Hat
libmicrohttpd: Buffer overflow issue in URL parser in the post_process_urlencoded function2021-03-15
Debian
CVE-2021-3466: libmicrohttpd - A flaw was found in libmicrohttpd. A missing bounds check in the post_process_ur...2021
CVE-2021-3466 (CRITICAL CVSS 9.8) | A flaw was found in libmicrohttpd | cvebase.io