Lucene search

[email protected]NVD:CVE-2023-34188

HistoryJun 23, 2023 - 8:15 p.m.

CVE-2023-34188

2023-06-2320:15:09

[email protected]

web.nvd.nist.gov

http server

mongoose

cve-2023-34188

infinite loop

attack payload

tcp

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.5%

JSON

The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

Affected configurations

Nvd

Node

cesantamongooseRange<7.10

VendorProductVersionCPE
cesantamongoose*cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cesanta	mongoose	*	cpe:2.3:a:cesanta:mongoose::::::::

References

blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server

github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f

github.com/cesanta/mongoose/compare/7.9...7.10

github.com/cesanta/mongoose/pull/2197

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.5%

JSON

Related for NVD:CVE-2023-34188

openvas1 osv1 prion1 cve1 veracode1 cvelist1