CVE Vulnerability

CVE-2022-38667

HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it has begun processing a later request before it has finished processing an earlier request.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/CrowCpp/Crow/pull/524 Patch Third Party Advisory
https://cwe.mitre.org/data/definitions/372.html Technical Description Third Party Advisory
https://gynvael.coldwind.pl/?id=753 Exploit Third Party Advisory
https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.md Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:crowcpp:crow:*:*:*:*:*:*:*:*
Information

Published : 2022-08-22 08:15

Updated : 2022-10-28 07:04

NVD link : CVE-2022-38667

Mitre link : CVE-2022-38667

Products Affected
No products.
CWE
CWE-416