CVE-2019-16200

Name of the Vulnerable Software and Affected Versions GNU Serveez versions prior to 0.2.3

Description The issue allows an attacker to send an HTTP POST request to the "/cgi-bin/reader" API endpoint, including a Content-length header with a large positive value that, when represented in 32-bit binary, evaluates to a negative number. This can lead to a heap-based buffer over-read, potentially causing information leakage. The problem is rooted in the http cgi write function, although exploitation may appear to originate from the svz envblock add function.

Recommendations For GNU Serveez versions prior to 0.2.3, update to version 0.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/cgi-bin/reader" API endpoint to minimize the risk of exploitation.