Denial of Service Vulnerability in GNU libmicrohttpd Affects Multiple Applications
CVE-2023-27371

5.9MEDIUM

Key Information:

Vendor: Gnu
Status: LIBMicrohttpd
Vendor: CVE Published:; 28 February 2023

Summary

GNU libmicrohttpd versions prior to 0.9.76 are susceptible to a Denial of Service vulnerability that arises from improper handling of multipart/form-data boundaries in the postprocessor. This flaw allows an attacker to discreetly send a malformed HTTP POST request, which includes null ('\0') bytes in the boundary field. If the request is crafted in a specific way, it can lead to an out-of-bounds read during processing, ultimately causing a crash when the find_boundary() function is executed. This vulnerability can disrupt services relying on the affected versions of libmicrohttpd.

References

https://git.gnunet.org/libmicrohttpd.git/commit/?id=6d684...

https://github.com/0xhebi/CVEs/tree/main/GNU%20Libmicrohttpd

https://lists.gnu.org/archive/html/libmicrohttpd/2023-02/...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2023
Vulnerability Reserved
Feb 28, 2023