Kong lua-multipart multipart.lua is_header redos
CVE-2020-36661

3.5LOW

Key Information:

Vendor: Kong
Status: Lua-multipart
Vendor: CVE Published:; 12 February 2023

What is CVE-2020-36661?

A vulnerability was found in Kong lua-multipart 0.5.8-1. It has been declared as problematic. This vulnerability affects the function is_header of the file src/multipart.lua. The manipulation leads to inefficient regular expression complexity. Upgrading to version 0.5.9-1 is able to address this issue. The patch is identified as d632e5df43a2928fd537784a99a79dec288bf01b. It is recommended to upgrade the affected component. VDB-220642 is the identifier assigned to this vulnerability.

Affected Version(s)

lua-multipart 0.5.8-1

References

https://vuldb.com/?id.220642

vdb-entrytechnical-description

https://vuldb.com/?ctiid.220642

signaturepermissions-required

https://github.com/Kong/lua-multipart/pull/34

issue-tracking

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2023
Vulnerability Reserved
Feb 11, 2023

Credit

VulDB GitHub Commit Analyzer

CVE-2020-36661 Data

JSON