CVE-2020-13432
HIGH severity · CVSS 7.5 · Buffer overflow
7.5CVSS HIGH
Summary
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactNone
Integrity impactNone
Availability impactHigh
Exploit probability (EPSS)33%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/rejetto/hfs2/commit/b8ebfc4e22948e1a61506cd66e397b61ea5ea5de ↗
Additional information
- NVD record
- https://github.com/rejetto/hfs2/commit/b8ebfc4e22948e1a61506cd66e397b61ea5ea5dePatch
- https://www.rejetto.com/hfs/?f=wnAdvisory
- http://seclists.org/fulldisclosure/2021/Apr/12
- http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txtAdvisory
- http://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-Buffer-Overflow.htmlAdvisory
- http://seclists.org/fulldisclosure/2020/Jun/13Advisory
- https://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-Buffer-Overflow.htmlAdvisory