CVE-2023-40586

2023-08-2521:15:09

CWE-400

[email protected]

web.nvd.nist.gov

owasp

coraza

waf

golang

modsecurity

library

log.fatalf

crash

security vulnerability

cve-2023-40586

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.0%

JSON

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType. This issue was patched in version 3.0.1.

Affected configurations

Vulners

NVD

Node

corazawafcorazaRange<3.0.1

CPENameOperatorVersion
coraza:corazacorazaeq3.0.0

CPE	Name	Operator	Version
coraza:coraza	coraza	eq	3.0.0

CNA Affected

[
  {
    "vendor": "corazawaf",
    "product": "coraza",
    "versions": [
      {
        "version": "< 3.0.1",
        "status": "affected"
      }
    ]
  }
]