Miggo Logo
Miggo Vulnerability Database
CVE-2021-41499

CVE-2021-41499:
Classic Buffer Overflow in pyo

7.5

CVSS Score

Basic Information

CVE ID
CVE-2021-41499
GHSA ID
GHSA-5f5c-687x-g5qm
EPSS Score
-
CWE
CWE-120
Published
1/7/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyopip< 1.0.31.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from Server_debug's use of vsprintf with a fixed-size buffer. The GitHub issue explicitly shows the code pattern: vsprintf(buffer, format, args) where buffer is 256 bytes and format includes user-controlled filename input. This matches CWE-120's classic buffer overflow pattern. While Server_start_rec_internal passes the filename to Server_debug, the actual unsafe buffer operation occurs within Server_debug itself. The combination of external input control (filename), fixed buffer size, and unsafe vsprintf usage provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u***r Ov*r*low Vuln*r**ility *xists in *j*xsoun*stu*io.*om in Pyo < *.** in t** S*rv*r_***u* *un*tion, w*i** *llows r*mot* *tt**k*rs to *on*u*t *oS *tt**ks *y **li**r*t*ly p*ssin* on *n ov*rlon* *u*io *il* n*m*.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom S*rv*r_***u*'s us* o* vsprint* wit* * *ix**-siz* *u***r. T** *it*u* issu* *xpli*itly s*ows t** *o** p*tt*rn: vsprint*(*u***r, *orm*t, *r*s) w**r* *u***r is *** *yt*s *n* *orm*t in*lu**s us*r-*ontroll** *il*n*m* i