PT-2023-27522 · Owasp · Owasp Coraza Waf

Rmb122

Published

2023-06-26

Updated

2023-09-01

CVE-2023-40586

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions OWASP Coraza WAF versions prior to 3.0.1

Description The issue is caused by the misuse of log.Fatalf in the OWASP Coraza WAF library, which leads to the application crashing after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType.

Recommendations For versions prior to 3.0.1, update to version 3.0.1 to resolve the issue. As a temporary workaround, consider modifying the error handling in the mime.ParseMediaType function to return directly instead of using log.Fatalf, which calls os.Exit and causes the application to crash.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2023-40586

GHSA-C2PJ-V37R-2P6H

GO-2023-1874

Affected Products

Owasp Coraza Waf

PT-2023-27522 · Owasp · Owasp Coraza Waf

CVE-2023-40586

Weakness Enumeration

Related Identifiers

Affected Products

References · 17