CVE-2023-27371

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions GNU libmicrohttpd versions prior to 0.9.76

Description The issue is related to the improper parsing of a multipart/form-data boundary in the MHD create post processor() method. This can be exploited by an attacker to send a malicious HTTP POST packet, potentially resulting in an out-of-bounds read and a crash in the find boundary() function. The exploitation of this issue may allow a remote attacker to cause a denial of service.

Recommendations For GNU libmicrohttpd versions prior to 0.9.76, update to version 0.9.76 or later to resolve the issue. As a temporary workaround, consider restricting access to the postprocessor.c module or disabling the MHD create post processor() function until a patch is available. Avoid using the boundary field in multipart/form-data requests until the issue is resolved.

Exploit

Fix

DoS

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2023:6566

ALSA-2023:7090

ALT-PU-2023-1530

ALT-PU-2023-1582

AZL-25347

BDU:2024-06864

CESA-2023_7090

CVE-2023-27371

DLA-3374-1

INFSA-2023_6566

OESA-2023-1171

OPENSUSE-SU-2024:12739-1

RHSA-2023:6566

RHSA-2023:7090

RHSA-2023_6566

RHSA-2023_7090

RHSA-2024:0584

RHSA-2024:1109

ROSA-SA-2023-2217

SUSE-SU-2023:1686-1

SUSE-SU-2023:1686-2

SUSE-SU-2023:1944-1

SUSE-SU-2023_1686-1

SUSE-SU-2023_1944-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Gnu Libmicrohttpd

Red Hat

Red Os

Suse

CVE-2023-27371

Weakness Enumeration

Related Identifiers

Affected Products

References · 43