CVE-2019-17502

Name of the Vulnerable Software and Affected Versions Hydra versions prior to 0.1.9

Description The issue arises from a NULL pointer dereference and daemon crash when processing POST requests that lack a Content-Length header. This is attributed to the process header end() function, which calls boa atoi(), ultimately leading to atoi() being called on a NULL pointer. The files read.c, request.c, and util.c are involved in this process.

Recommendations For Hydra versions prior to 0.1.9, consider updating to a version that includes a fix for this issue to prevent daemon crashes when handling specific POST requests. As a temporary workaround, consider restricting access to the process header end() function or ensuring that all POST requests include a valid Content-Length header until a patch is available.