Buffer Overflow Vulnerability in libmicrohttpd Affects Multiple Systems
CVE-2021-3466

9.8CRITICAL

Key Information:

Vendor: Gnu
Status: LIBMicrohttpd
Vendor: CVE Published:; 25 March 2021

Summary

A vulnerability has been identified in libmicrohttpd where a missing bounds check in the post_process_urlencoded function results in a buffer overflow. This flaw can be exploited by a remote attacker to inject arbitrary data into applications utilizing libmicrohttpd, potentially compromising data confidentiality and integrity. Furthermore, the flaw threatens system availability, allowing exploitation that can disrupt service functionality. The only affected version is 0.9.70, making it essential for users and administrators to review their deployments and implement necessary updates.

Affected Version(s)

libmicrohttpd libmicrohttpd 0.9.70

References

https://bugzilla.redhat.com/show_bug.cgi?id=1939127

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 25, 2021
Vulnerability Reserved
Mar 24, 2021