---

CVE-2021-26843 - log back

CVE-2021-26843 edited at 18 Mar 2021 11:28:45
Type	- Denial of service + Arbitrary code execution

CVE-2021-26843 edited at 07 Feb 2021 23:40:44
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ An issue was discovered in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can triggered with an HTTP GET request for a crafted filename. NOTE: this is similar to CVE-2017-10671, but occurs in a different part of the de_dotdot function.
References	+ https://github.com/blueness/sthttpd/issues/14 + https://github.com/blueness/sthttpd/blob/master/src/libhttpd.c#L2406
Notes

CVE-2021-26843 created at 07 Feb 2021 23:38:54