CVE-2021-34585

CODESYS V2 web server: crafted requests could trigger a pointer dereference with an invalid address (DoS)

CVSS 7.5 HIGHEPSS 0.9%CWE-252

In short

The CODESYS V2 web server has a flaw where specially crafted requests can cause the server to crash, making it unavailable to users. This happens because the server doesn't properly check for errors when parsing these requests.

Technical detail

A remote attacker can send malformed HTTP requests to the CODESYS V2 web server (versions before V1.1.9.22) that trigger a parser error; the unchecked parser result leads to an invalid pointer dereference, causing a denial of service. No authentication or special privileges are required to exploit this vulnerability.

Summary generated and translated by AI from the official description.

In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

CODESYS · CODESYS V2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16876&token=a3f1d937f95e7034879f4f2ea8e5a99b168256a7&download=https://www.tenable.com/security/research/tra-2021-47