Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2022-31081

Disclosure Date: June 27, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on top of Nginx or Apache, not on the HTTP::Daemon. This library is commonly used for local development and tests. Users are advised to update to resolve this issue. Users unable to upgrade may add additional request handling logic as a mitigation. After calling my $rqst = $conn->get_request() one could inspect the returned HTTP::Request object. Querying the ‘Content-Length’ (my $cl = $rqst->header('Content-Length')) will show any abnormalities that should be dealt with by a 400 response. Expected strings of ‘Content-Length’ SHOULD consist of either a single non-negative integer, or, a comma separated repetition of that number. (that is 42 or 42, 42, 42). Anything else MUST be rejected.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
2.5
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • debian,
  • http::daemon project

Products

  • debian linux 10.0,
  • http::daemon
Technical Analysis