The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
{
"binaries": [
{
"binary_name": "libswupdate0.1",
"binary_version": "2023.12.1+dfsg-1ubuntu5"
},
{
"binary_name": "lua-swupdate",
"binary_version": "2023.12.1+dfsg-1ubuntu5"
},
{
"binary_name": "swupdate",
"binary_version": "2023.12.1+dfsg-1ubuntu5"
},
{
"binary_name": "swupdate-www",
"binary_version": "2023.12.1+dfsg-1ubuntu5"
}
]
}