CVE-2019-19945

Name of the Vulnerable Software and Affected Versions OpenWrt versions 18.06.0 through 18.06.5 OpenWrt versions 19.0 through 19.07.0-rc2

Description The issue is related to an integer signedness error in the uhttpd function of the OpenWrt embedded operating system, which can lead to out-of-bounds access to a heap buffer and cause a crash. This can be triggered by a remote attacker using a specially crafted HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.

Recommendations For OpenWrt versions 18.06.0 through 18.06.5, update to a version later than 18.06.5 to resolve the issue. For OpenWrt versions 19.0 through 19.07.0-rc2, update to a version later than 19.07.0-rc2 to resolve the issue. As a temporary workaround, consider restricting access to CGI scripts or disabling the uhttpd function until a patch is available.