CVE-2023-40586 go package github.com/corazawaf/coraza is vulnerable to denial of service

2023-08-2520:35:27

CWE-400

GitHub_M

www.cve.org

cve-2023-40586

denial of service

coraza waf

owasp

modsecurity

crafted requests

log.fatalf

version 3.0.1

mime.parsemediatype

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0005 Low

EPSS

Percentile

17.1%

JSON

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType. This issue was patched in version 3.0.1.

CNA Affected

[
  {
    "vendor": "corazawaf",
    "product": "coraza",
    "versions": [
      {
        "version": "< 3.0.1",
        "status": "affected"
      }
    ]
  }
]