Candidate: CVE-2021-3466
PublicDate: 2021-03-25 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3466
 https://bugzilla.redhat.com/show_bug.cgi?id=1939127
Description:
 A flaw was found in libmicrohttpd. A missing bounds check in the
 post_process_urlencoded function leads to a buffer overflow, allowing a
 remote attacker to write arbitrary data in an application that uses
 libmicrohttpd. The highest threat from this vulnerability is to data
 confidentiality and integrity as well as system availability. Only version
 0.9.70 is vulnerable.
Ubuntu-Description:
Notes:
 avital> introduced in v0.9.70 (commit
   55f715e15e3ce66babc939b5a670bee02d4d9571 upstream)
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libmicrohttpd:
 upstream: https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
upstream_libmicrohttpd: released (0.9.71-1)
precise/esm_libmicrohttpd: DNE
trusty_libmicrohttpd: ignored (out of standard support)
trusty/esm_libmicrohttpd: not-affected (code not present)
xenial_libmicrohttpd: not-affected (code not present)
bionic_libmicrohttpd: not-affected (code not present)
focal_libmicrohttpd: not-affected (code not present)
groovy_libmicrohttpd: not-affected (0.9.71-1ubuntu1)
devel_libmicrohttpd: not-affected