← Voltar para CVEs

CVE-2022-38667

CRITICAL

9.8

Descricao

HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it has begun processing a later request before it has finished processing an earlier request.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado8/22/2022

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

crowcpp:crow

Fraquezas (CWE)

CWE-416

Referencias

https://cwe.mitre.org/data/definitions/372.html(cve@mitre.org)

https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.md(cve@mitre.org)

https://github.com/CrowCpp/Crow/pull/524(cve@mitre.org)

https://gynvael.coldwind.pl/?id=753(cve@mitre.org)

https://cwe.mitre.org/data/definitions/372.html(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.md(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/CrowCpp/Crow/pull/524(af854a3a-2127-422b-91ae-364da2661108)

https://gynvael.coldwind.pl/?id=753(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.