Login Sign Up

CVE-2020-21574

7.5 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in YotsuyaNight c-http v0.1.0 allows attackers to cause denial of service by sending long URL requests. This affects systems running the vulnerable version of this HTTP server software. The vulnerability occurs in the delimitedread function when processing URL input.

💻 Affected Systems

Products:
  • YotsuyaNight c-http
Versions: v0.1.0
Operating Systems: Any OS running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects version 0.1.0 of c-http. The software appears to be a small HTTP server implementation.

📦 What is this software?

C Http by C Http Project

View all CVEs affecting C Http →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the buffer overflow can be exploited to execute arbitrary code.

🟠

Likely Case

Denial of service causing the HTTP server to crash, disrupting web services.

🟢

If Mitigated

Limited impact with proper input validation and boundary checking in place.

🌐 Internet-Facing: HIGH - HTTP servers are typically internet-facing and accept untrusted input.
🏢 Internal Only: MEDIUM - Internal servers could still be targeted by internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub issue shows proof-of-concept exploitation. Exploitation requires sending a specially crafted long URL request.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.1 or later

Vendor Advisory: https://github.com/YotsuyaNight/c-http/issues/1

Restart Required: Yes

Instructions:

1. Check current version with 'c-http --version' or similar. 2. Update to v0.1.1 or later from GitHub repository. 3. Restart the c-http service.

🔧 Temporary Workarounds

Input Length Restriction

all

Implement reverse proxy or load balancer to restrict URL length before reaching c-http

nginx: client_max_body_size 1k;
apache: LimitRequestLine 1024

Network Segmentation

linux

Restrict access to c-http servers to trusted networks only

iptables -A INPUT -p tcp --dport [c-http-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [c-http-port] -j DROP

🧯 If You Can't Patch

  • Deploy Web Application Firewall (WAF) with URL length restriction rules
  • Monitor for abnormal long URL requests and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if running c-http version 0.1.0. Test with curl: 'curl -X GET "http://target/long-url-here"' with URL exceeding typical length.

Check Version:

Check binary version or package manager: 'c-http --version' or check installed package version

Verify Fix Applied:

Verify version is 0.1.1 or later. Test with same long URL request that should now be properly handled.

📡 Detection & Monitoring

Log Indicators:

  • Server crash logs
  • Abnormally long URL requests in access logs
  • Repeated connection failures

Network Indicators:

  • HTTP requests with URLs exceeding 1024 characters
  • Multiple failed connection attempts to HTTP port

SIEM Query:

source="web_logs" AND (url_length>1024 OR status=500) AND dest_port=80

📊 Metadata

CVE ID: CVE-2020-21574
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-120
Published: November 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21574, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)