OpenBSD 7.4 before errata 006 is vulnerable to NULL dereference in httpd
CVE-2024-11148

7.5HIGH

Key Information:

Vendor: OpenBSD
Status: OpenBSD
Vendor: CVE Published:; 5 December 2024

What is CVE-2024-11148?

The httpd(8) component in OpenBSD versions 7.3 and 7.4 is susceptible to a NULL dereference vulnerability. This flaw emerges when the server processes a malformed fastcgi request, leading to potential server disruptions or crashes. Implementing the latest patches provided in the respective errata is crucial for maintaining the integrity and availability of the service.

Affected Version(s)

OpenBSD 7.4

OpenBSD 7.4 < 7.4 errata 006

OpenBSD 7.3 < 7.3 errata 020

References

https://ftp.openbsd.org/pub/OpenBSD/patches/7.4/common/00...

https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/02...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2024
Vulnerability Reserved
Nov 12, 2024