LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2013-7038 CVE STATUS: Patched CVE SUMMARY: The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7038 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2013-7039 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7039 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2021-3466 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3466 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2023-27371 CVE STATUS: Patched CVE SUMMARY: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27371