Vulnerability Details CVE-2013-7039
Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.024
EPSS Ranking 84.1%
CVSS Severity
CVSS v2 Score 5.1
References
- http://secunia.com/advisories/55903
- http://security.gentoo.org/glsa/glsa-201402-01.xml
- http://www.openwall.com/lists/oss-security/2013/12/09/11
- http://www.securityfocus.com/bid/64138
- https://bugs.gentoo.org/show_bug.cgi?id=493450
- https://bugzilla.redhat.com/show_bug.cgi?id=1039390
- https://gnunet.org/svn/libmicrohttpd/ChangeLog
- http://secunia.com/advisories/55903
- http://security.gentoo.org/glsa/glsa-201402-01.xml
- http://www.openwall.com/lists/oss-security/2013/12/09/11
- http://www.securityfocus.com/bid/64138
- https://bugs.gentoo.org/show_bug.cgi?id=493450
- https://bugzilla.redhat.com/show_bug.cgi?id=1039390
- https://gnunet.org/svn/libmicrohttpd/ChangeLog
Products affected by CVE-2013-7039
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.16
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.17
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.18
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.19
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.20
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.21
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.22
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.23
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.24
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.25
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.26
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.27
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.28
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.29
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.30
-
cpe:2.3:a:gnu:libmicrohttpd:0.9.31