CVE-2022-34037
published 2022-07-22CVE-2022-34037: An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via…
PriorityP336high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.97%
57.5th percentile
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | — | — |
| github.com | caddyserver_caddy | >= 0 < 2.5.2 | 2.5.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
caddy: oob read allows for DoS
vendor_redhat·2022-07-22·CVSS 7.5
CVE-2022-34037 [HIGH] CWE-125 caddy: oob read allows for DoS
caddy: oob read allows for DoS
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.
Statement: Red Hat Product Security does not consider this to be a vulnerability.
Package: rhmtc/openshift-migration-controller-rhel8 (Migration Toolkit for Containers) - Not affected
Package: rhmtc/openshift-migration-velero-plugin-for-aws-rhel8 (Migration Toolkit for Containers) - Not affected
Package: rhmtc/open
GHSA
Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
ghsa·2022-07-23
CVE-2022-34037 [HIGH] CWE-125 Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
## Withdrawn Advisory
This advisory has been withdrawn because it is a bug, not a vulnerability. According to the maintainer, the bug only affects the client side of the request and cannot cause a denial of service on the server.
## Original Description
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) on the client side via a crafted URI.
OSV
Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
osv·2022-07-23
CVE-2022-34037 [HIGH] Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
Withdrawn Advisory: Out-of-bounds Read can lead to client side denial of service
## Withdrawn Advisory
This advisory has been withdrawn because it is a bug, not a vulnerability. According to the maintainer, the bug only affects the client side of the request and cannot cause a denial of service on the server.
## Original Description
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) on the client side via a crafted URI.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-07-22
Published