GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due
to improper parsing of a multipart/form-data boundary in the
postprocessor.c MHD_create_post_processor() method. This allows an attacker
to remotely send a malicious HTTP POST packet that includes one or more
‘\0’ bytes in a multipart/form-data boundary field, which - assuming a
specific heap layout - will result in an out-of-bounds read and a crash in
the find_boundary() function.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 23.10 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 24.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 14.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
ubuntu | 16.04 | noarch | libmicrohttpd | <Â any | UNKNOWN |
git.gnunet.org/libmicrohttpd.git/commit/?id=6d6846e20bfdf4b3eb1b592c97520a532f724238
git.gnunet.org/libmicrohttpd.git/commit/?id=e0754d1638c602382384f1eface30854b1defeec (v0.9.76)
github.com/0xhebi/CVEs/tree/main/GNU%20Libmicrohttpd
launchpad.net/bugs/cve/CVE-2023-27371
lists.gnu.org/archive/html/libmicrohttpd/2023-02/msg00000.html
nvd.nist.gov/vuln/detail/CVE-2023-27371
security-tracker.debian.org/tracker/CVE-2023-27371
www.cve.org/CVERecord?id=CVE-2023-27371