Vulnerability Details : CVE-2023-4540
Improper Handling of Exceptional Conditions vulnerability in Daurnimator lua-http library allows Excessive Allocation and a denial of service (DoS) attack to be executed by sending a properly crafted request to the server.
Such a request causes the program to enter an infinite loop.
This issue affects lua-http: all versions before commit ddab283.
Vulnerability category: Denial of service
Products affected by CVE-2023-4540
- cpe:2.3:a:daurnimator:lua-http:0.4:*:*:*:*:lua:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4540
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4540
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-4540
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by:
- cvd@cert.pl (Secondary)
- nvd@nist.gov (Primary)
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: cvd@cert.pl (Secondary)
References for CVE-2023-4540
-
https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
http/h1_stream: handle EOF when `body_read_type==length` · daurnimator/lua-http@ddab283 · GitHubPatch
-
https://cert.pl/posts/2023/09/CVE-2023-4540/
Podatność w bibliotece lua-http | CERT PolskaPatch;Third Party Advisory
-
https://cert.pl/en/posts/2023/09/CVE-2023-4540/
Vulnerability in lua-http library | CERT Polska
-
https://https://cert.pl/en/posts/2023/09/CVE-2023-4540/
Jump to