PT-2021-21591 · M Files · M-Files Web
Murat Aydemir
·
Published
2021-12-03
·
Updated
2024-08-04
·
CVE-2021-37253
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
M-Files Web versions prior to 20.10.9524.1
Description
The issue allows a denial of service via overlapping ranges in HTTP requests with crafted
Range or Request-Range headers. It is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application.Recommendations
For versions prior to 20.10.9524.1, update to version 20.10.9524.1 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted HTTP requests with overlapping ranges in the
Range or Request-Range headers until a patch is available.Exploit
Fix
HTTP Request/Response Smuggling
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
M-Files Web