CVE-2020-13432

moderate-risk
Published 2020-06-08

rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.

Do I need to act?

~
7.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Rejetto

References (14)

Exploit http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFF...
Exploit http://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-...
Exploit http://seclists.org/fulldisclosure/2020/Jun/13
http://seclists.org/fulldisclosure/2021/Apr/12
Patch https://github.com/rejetto/hfs2/commit/b8ebfc4e22948e1a61506cd66e397b61ea5ea5de
Exploit https://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300...
Release Notes https://www.rejetto.com/hfs/?f=wn
Exploit http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFF...
Exploit http://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-...
Exploit http://seclists.org/fulldisclosure/2020/Jun/13
http://seclists.org/fulldisclosure/2021/Apr/12
Patch https://github.com/rejetto/hfs2/commit/b8ebfc4e22948e1a61506cd66e397b61ea5ea5de
Exploit https://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300...
Release Notes https://www.rejetto.com/hfs/?f=wn
41
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 10/34 · Low
Exposure 5/34 · Minimal