Upstream information

CVE-2022-34037 at MITRE

Description

** DISPUTED ** An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1201822 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP4
  • caddy >= 2.5.2-bp154.2.8.1
Patchnames:
openSUSE-2022-10080
openSUSE Leap 15.4
  • caddy >= 2.5.2-bp154.2.8.1
Patchnames:
openSUSE-2022-10080
openSUSE Tumbleweed
  • caddy >= 2.5.2-2.1
Patchnames:
openSUSE Tumbleweed GA caddy-2.5.2-2.1


SUSE Timeline for this CVE

CVE page created: Sun Jul 24 01:57:53 2022
CVE page last modified: Thu Jun 6 16:36:44 2024