CVE-2023-34188

The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server
https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f	Patch
https://github.com/cesanta/mongoose/compare/7.9...7.10	Release Notes
https://github.com/cesanta/mongoose/pull/2197	Patch
https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server
https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f	Patch
https://github.com/cesanta/mongoose/compare/7.9...7.10	Release Notes
https://github.com/cesanta/mongoose/pull/2197	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:06

Type	Values Removed	Values Added
References	~~() https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server -~~	() https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server -
References	~~() https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f - Patch~~	() https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f - Patch
References	~~() https://github.com/cesanta/mongoose/compare/7.9...7.10 - Release Notes~~	() https://github.com/cesanta/mongoose/compare/7.9...7.10 - Release Notes
References	~~() https://github.com/cesanta/mongoose/pull/2197 - Patch~~	() https://github.com/cesanta/mongoose/pull/2197 - Patch

06 Sep 2023, 17:15

Type	Values Removed	Values Added
Summary	~~The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers.~~	The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.

17 Jul 2023, 18:15

Type	Values Removed	Values Added
References		(MISC) https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server -

10 Jul 2023, 16:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cesanta:mongoose::::::::
First Time		Cesanta Cesanta mongoose
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f -~~	(MISC) https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f - Patch
References	~~(MISC) https://github.com/cesanta/mongoose/compare/7.9...7.10 -~~	(MISC) https://github.com/cesanta/mongoose/compare/7.9...7.10 - Release Notes
References	~~(MISC) https://github.com/cesanta/mongoose/pull/2197 -~~	(MISC) https://github.com/cesanta/mongoose/pull/2197 - Patch
CWE		NVD-CWE-Other

23 Jun 2023, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-23 20:15

Updated : 2024-11-21 08:06

NVD link : CVE-2023-34188

Mitre link : CVE-2023-34188

CVE.ORG link : CVE-2023-34188

JSON object : View

Products Affected

cesanta

mongoose

CWE

NVD-CWE-Other

7.5 /10