Description
A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334XJNDJPYQNFE6S3S2KUJJ7TMHYCWL/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5NEPVGP3L2CZHLZ4UB44PEILHKPDBOG/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75HDMREKITMGPGE62NP7KE62ZJVLETXN/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202311-08
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1939127
Scores
CVSS v3
9.8
EPSS
0.0042
EPSS Percentile
61.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-120
Status
published
Products (7)
fedoraproject/fedora
32
fedoraproject/fedora
33
fedoraproject/fedora
34
gnu/libmicrohttpd
0.9.70
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
redhat/enterprise_linux
8.0
Published
Mar 25, 2021
Tracked Since
Feb 18, 2026