Vulnerabilities > CVE-2019-19945 - Incorrect Conversion between Numeric Types vulnerability in Openwrt 19.07.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

openwrt

CWE-681

NVD

Published: 2020-03-16

Updated: 2023-05-24

Summary

uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.

Vulnerable Configurations

Part	Description	Count
OS	Openwrt Openwrt Openwrt 19.07.0 Openwrt Openwrt *	4

Common Weakness Enumeration (CWE)

CWE-681 - Incorrect Conversion between Numeric Types

References

https://github.com/openwrt/openwrt/commits/master
https://openwrt.org/advisory/2020-01-13-1