CVE-2021-37253 – M-Files Web Denial Of Service
https://notcve.org/view.php?id=CVE-2021-37253
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application ** EN DISPUTA ** M-Files Web antes de la versión 20.10.9524.1 permite una denegación de servicio a través de rangos superpuestos (en peticiones HTTP con cabeceras Range o Request-Range manipuladas). NOTA: esto se cuestiona porque el comportamiento de los rangos es responsabilidad del servidor web, no de la aplicación web individual M-Files Web versions prior to 20.10.9524.1 and M-Files Web versions prior to 20.10.9445.0 contain an improper range header processing vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system. • http://packetstormsecurity.com/files/165139/M-Files-Web-Denial-Of-Service.html http://seclists.org/fulldisclosure/2021/Dec/1 https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-37253 https://www.m-files.com/about/trust-center/security-advisories/cve-2021-37253-denial-of-service https://www.m-files.com/company/trust-center/vulnerability-disclosure https://www.tenable.com/cve/CVE-2021-37253 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-37254
https://notcve.org/view.php?id=CVE-2021-37254
In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. En el producto M-Files Web con versiones anteriores a 20.10.9524.1 y 20.10.9445.0, un atacante remoto podría usar un fallo para obtener acceso no autenticado a la información de la clave de licencia de componentes de terceros en el servidor • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-37254 https://www.m-files.com/company/trust-center/vulnerability-disclosure •