Heap-based Buffer Overflow Vulnerability in uC-HTTP Could Lead to Arbitrary Code Execution
CVE-2023-45318

10CRITICAL

Key Information:

Vendor: Silicon Labs
Status: Gecko Platform; Uc-http
Vendor: CVE Published:; 20 February 2024

🔔 Create Silicon Labs Vulnerability Alert

What is CVE-2023-45318?

A heap-based buffer overflow vulnerability exists within the HTTP Server component of Weston Embedded uC-HTTP, specifically in git commit 80d4004. This vulnerability allows attackers to craft malicious network packets that can result in arbitrary code execution on the affected system. By exploiting this flaw, an attacker can send specially designed packets, potentially compromising the security of affected applications and systems.

Affected Version(s)

Gecko Platform Silicon Labs Gecko Platform 4.3.2.0

uC-HTTP git commit 80d4004

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Oct 6, 2023

Credit

Discovered by Kelly Patterson of Cisco Talos.