CVE-2022-3409
HIGHOpenBMC 2.10.0-2.12.9 - Denial of Service via Unclosed HTTP Headers in Multipart Parser
Title source: llmDescription
A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.
References (1)
Core 1
Core References
Product, Third Party Advisory
https://github.com/openbmc/bmcweb
Scores
CVSS v3
8.2
EPSS
0.0059
EPSS Percentile
43.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-121
CWE-229
CWE-787
Status
published
Products (1)
openbmc-project/openbmc
2.10.0 - 2.13.0
Published
Oct 27, 2022
Tracked Since
Feb 18, 2026