Lucene search

GoogleOSV:CVE-2023-34188

HistoryJun 23, 2023 - 8:15 p.m.

CVE-2023-34188

2023-06-2320:15:09

Google

osv.dev

cve-2023-34188

attack payload

tcp

infinite loop

server vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

References

blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server

github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f

github.com/cesanta/mongoose/compare/7.9...7.10

github.com/cesanta/mongoose/pull/2197

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

50.5%

JSON

Related for OSV:CVE-2023-34188