CVE-2023-27371
published 2023-02-28CVE-2023-27371: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c…
medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libmicrohttpd | < libmicrohttpd 0.9.75-6 (bookworm) | libmicrohttpd 0.9.75-6 (bookworm) |
| gnu | libmicrohttpd | < 0.9.76 | 0.9.76 |
| gnu | libmicrohttpd | >= 0 < 0.9.72-2+deb11u1 | 0.9.72-2+deb11u1 |
| gnu | libmicrohttpd | >= 0 < 0.9.75-6 | 0.9.75-6 |
| gnu | libmicrohttpd | >= 0 < 0.9.75-6 | 0.9.75-6 |
| gnu | libmicrohttpd | >= 0 < 0.9.75-6 | 0.9.75-6 |
| msrc | cbl2_libmicrohttpd_0.9.76-1_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
osv5.9MEDIUM