CVE-2013-7038: Buffer Overflow
First published: Mon Dec 09 2013(Updated: )
An out-of-bounds memory read flaw was found in the MHD_http_unescape() function in libmicrohttpd. This could possibly lead to information disclosure or allow a remote attacker to cause an application using libmicrohttpd to crash. This issue has been resolved in version 0.9.32. References: <a href="https://gnunet.org/svn/libmicrohttpd/ChangeLog">https://gnunet.org/svn/libmicrohttpd/ChangeLog</a> <a href="http://secunia.com/advisories/55903/">http://secunia.com/advisories/55903/</a> <a href="https://bugs.gentoo.org/show_bug.cgi?id=493450">https://bugs.gentoo.org/show_bug.cgi?id=493450</a> Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libmicrohttpd | <=0.9.31 | |
| Libmicrohttpd | =0.9.16 | |
| Libmicrohttpd | =0.9.17 | |
| Libmicrohttpd | =0.9.18 | |
| Libmicrohttpd | =0.9.19 | |
| Libmicrohttpd | =0.9.20 | |
| Libmicrohttpd | =0.9.21 | |
| Libmicrohttpd | =0.9.22 | |
| Libmicrohttpd | =0.9.23 | |
| Libmicrohttpd | =0.9.24 | |
| Libmicrohttpd | =0.9.25 | |
| Libmicrohttpd | =0.9.26 | |
| Libmicrohttpd | =0.9.27 | |
| Libmicrohttpd | =0.9.28 | |
| Libmicrohttpd | =0.9.29 | |
| Libmicrohttpd | =0.9.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gnunet.org/svn/libmicrohttpd/ChangeLog
- http://secunia.com/advisories/55903/
- https://bugs.gentoo.org/show_bug.cgi?id=493450
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039385
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039386
- http://www.openwall.com/lists/oss-security/2013/12/09/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1039384
- http://secunia.com/advisories/55903
- http://security.gentoo.org/glsa/glsa-201402-01.xml
- http://www.openwall.com/lists/oss-security/2013/12/09/11
- http://www.securityfocus.com/bid/64138
Frequently Asked Questions
What is the severity of CVE-2013-7038?
The severity of CVE-2013-7038 is considered to be medium due to the potential for information disclosure and application crashes.
How do I fix CVE-2013-7038?
To fix CVE-2013-7038, upgrade to libmicrohttpd version 0.9.32 or later.
What versions of libmicrohttpd are affected by CVE-2013-7038?
CVE-2013-7038 affects libmicrohttpd versions up to and including 0.9.31.
Can CVE-2013-7038 be exploited remotely?
Yes, CVE-2013-7038 can potentially be exploited remotely, allowing an attacker to cause a crash in applications using libmicrohttpd.
What is the nature of the vulnerability in CVE-2013-7038?
CVE-2013-7038 is an out-of-bounds memory read flaw in the MHD_http_unescape() function.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-7038
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gnu
- canonical/libmicrohttpd
- version/libmicrohttpd/0.9.31
- version/libmicrohttpd/0.9.16
- version/libmicrohttpd/0.9.17
- version/libmicrohttpd/0.9.18
- version/libmicrohttpd/0.9.19
- version/libmicrohttpd/0.9.20
- version/libmicrohttpd/0.9.21
- version/libmicrohttpd/0.9.22
- version/libmicrohttpd/0.9.23
- version/libmicrohttpd/0.9.24
- version/libmicrohttpd/0.9.25
- version/libmicrohttpd/0.9.26
- version/libmicrohttpd/0.9.27
- version/libmicrohttpd/0.9.28
- version/libmicrohttpd/0.9.29
- version/libmicrohttpd/0.9.30