detain/ConSolo

CVE-2023-26044 (Medium) detected in httpv1.8.0 - autoclosed

mend-bolt-for-github opened this issue · 1 comments

mend-bolt-for-github commented

CVE-2023-26044 - Medium Severity Vulnerability

Vulnerable Library - httpv1.8.0

Event-driven, streaming HTTP client and server implementation for ReactPHP.

Library home page: https://github.com/reactphp/http.git

Found in HEAD commit: eef840d3f52ae21cb808bc3aa4232f0ed4019a91

Found in base branch: master

Vulnerable Source Files (1)

/vendor/react/http/src/Io/MultipartParser.php

Vulnerability Details

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.

Publish Date: 2023-05-17

URL: CVE-2023-26044

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26044

Release Date: 2023-05-17

Fix Resolution: v1.9.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.