CVE-2022-38667

Sažetak

HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it has begun processing a later request before it has finished processing an earlier request.

Reference

https://github.com/CrowCpp/Crow/pull/524
https://cwe.mitre.org/data/definitions/372.html
https://gynvael.coldwind.pl/?id=753
https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.md

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	-

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

28-10-2022 - 19:04

Objavljeno

22-08-2022 - 20:15