CVE-2022-3409

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-3409

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3409.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-3409

Published

2022-10-27T13:15:11Z

Modified

2025-01-14T11:01:25.558336Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipartparser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipartparser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.

References

https://github.com/openbmc/bmcweb

Affected packages

Git / github.com/openbmc/openbmc

Affected ranges

Type: GIT
Repo: https://github.com/openbmc/openbmc
Events: Introduced

f5a72daa5d11cb78f082c2df7ca4a2d62c67a444

Last affected

03907ee1b9e938b9ce87f4d781c905c2a41592c2

Affected versions

2.*

2.10.0-dev

2.11.0-dev

2.12.0-dev

2.13.0-dev