Vulnerability Description
HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Connection layer is unaware of HTTP pipelining. Specifically, the Connection layer is unaware that it has begun processing a later request before it has finished processing an earlier request.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Crowcpp | Crow | <= 1.0\+4 |
Related Weaknesses (CWE)
References
- https://cwe.mitre.org/data/definitions/372.htmlTechnical DescriptionThird Party Advisory
- https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.mdExploitThird Party Advisory
- https://github.com/CrowCpp/Crow/pull/524PatchThird Party Advisory
- https://gynvael.coldwind.pl/?id=753ExploitThird Party Advisory
- https://cwe.mitre.org/data/definitions/372.htmlTechnical DescriptionThird Party Advisory
- https://github.com/0xhebi/CVEs/blob/main/Crow/CVE-2022-38667.mdExploitThird Party Advisory
- https://github.com/CrowCpp/Crow/pull/524PatchThird Party Advisory
- https://gynvael.coldwind.pl/?id=753ExploitThird Party Advisory
FAQ
What is CVE-2022-38667?
CVE-2022-38667 is a vulnerability with a CVSS score of 9.8 (CRITICAL). HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelining is used. The HTTP parser supports HTTP pipelining, but the asynchronous Conne...
How severe is CVE-2022-38667?
CVE-2022-38667 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-38667?
Check the references section above for vendor advisories and patch information. Affected products include: Crowcpp Crow.