CVE-2021-26843
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can triggered with an HTTP GET request for a crafted filename. NOTE: this is similar to CVE-2017-10671, but occurs in a different part of the de_dotdot function.
Se ha detectado un problema en sthttpd versiones hasta 2.27.1. En los sistemas en los que la función strcpy es implementada con memcpy, la función de_dotdot puede causar una denegación de servicio (bloqueo del demonio) debido a la superposición de rangos de memoria que se pasan a memcpy. Esto puede desencadenar con una petición HTTP GET para un nombre de archivo diseñado. NOTA: esto es similar a CVE-2017-10671, pero ocurre en una parte diferente de la función de_dotdot
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-07 CVE Reserved
- 2021-02-07 CVE Published
- 2023-10-24 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/blueness/sthttpd/issues/14 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sthttpd Project Search vendor "Sthttpd Project" | Sthttpd Search vendor "Sthttpd Project" for product "Sthttpd" | <= 2.27.1 Search vendor "Sthttpd Project" for product "Sthttpd" and version " <= 2.27.1" | - |
Affected
| ||||||