CVE-2023-40586
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-40586
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40586.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-40586
- Aliases
- Published
- 2023-08-25T20:35:27Z
- Modified
- 2025-11-04T20:14:33.546912Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- go package github.com/corazawaf/coraza is vulnerable to denial of service
- Details
-
OWASP Coraza WAF is a golang modsecurity compatible web application firewall library. Due to the misuse of
log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers. The application will immediately crash after receiving a malicious request that triggers an error inmime.ParseMediaType. This issue was patched in version 3.0.1. - Database specific
{ "cwe_ids": [ "CWE-400" ] }- References
Affected packages
Git / github.com/corazawaf/coraza
Affected ranges
- Type
- GIT
- Repo
- https://github.com/corazawaf/coraza
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.0.0-beta.7
v1.1.0
v1.2.0
v2.*
v2.0.0
v2.0.0-alpha.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v3.*
v3.0.0
v3.0.0-rc.1
v3.0.0-rc.2
v3.0.0-rc.3