CVE-2020-13111
- Source
- https://cve.org/CVERecord?id=CVE-2020-13111
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13111.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-13111
- Published
- 2020-05-16T15:15:11.377Z
- Modified
- 2025-11-14T10:12:57.260983Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/driver.c ChunkedDecode function not properly validating the length of a chunk. A remote attacker can craft a chunked-transfer request that will result in a negative value being passed to memmove via the size parameter, causing the process to crash.
- References
Affected packages
Git / bitbucket.org/naviserver/naviserver
Affected ranges
- Type
- GIT
- Repo
- https://bitbucket.org/naviserver/naviserver
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixeda5c3079f1d8996d5f34c9384a440acf3519ca3bb
Affected versions
aolserver-3.*
aolserver-3.0.0
aolserver-3.1.0
aolserver-3.2.0
aolserver-3.3.0
aolserver-4.*
aolserver-4.0.0
aolserver-4.0.1
aolserver-4.0.10
aolserver-4.0.2
aolserver-4.0.3
aolserver-4.0.5
aolserver-4.0.6
aolserver-4.0.7
aolserver-4.0.8
aolserver-4.0.9
naviserver-4.*
naviserver-4.99.0
naviserver-4.99.1
naviserver-4.99.10
naviserver-4.99.11
naviserver-4.99.12
naviserver-4.99.13
naviserver-4.99.14
naviserver-4.99.15
naviserver-4.99.16
naviserver-4.99.17
naviserver-4.99.18
naviserver-4.99.19
naviserver-4.99.4
naviserver-4.99.5
naviserver-4.99.6
naviserver-4.99.7
naviserver-4.99.8
naviserver-4.99.9
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"source": "https://bitbucket.org/naviserver/naviserver@a5c3079f1d8996d5f34c9384a440acf3519ca3bb",
"target": {
"file": "nsd/driver.c",
"function": "ChunkedDecode"
},
"id": "CVE-2020-13111-07111027",
"signature_version": "v1",
"digest": {
"function_hash": "250909468737293629762572300341696088912",
"length": 1007.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://bitbucket.org/naviserver/naviserver@a5c3079f1d8996d5f34c9384a440acf3519ca3bb",
"target": {
"file": "nsd/driver.c",
"function": "SockParse"
},
"id": "CVE-2020-13111-0a3134a2",
"signature_version": "v1",
"digest": {
"function_hash": "84454927509190328786046766938350389838",
"length": 5105.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://bitbucket.org/naviserver/naviserver@a5c3079f1d8996d5f34c9384a440acf3519ca3bb",
"target": {
"file": "nsd/driver.c"
},
"id": "CVE-2020-13111-9c245ba1",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"15929542322970983337442085279931326304",
"238634660454857072772751588666328446282",
"69839868136127902228637568709705342404",
"57827452568650967091901320175813644417",
"97864643552125576921682624333552143077",
"64563162238342059626133399770018715185",
"228759504499767316092346782661752710095",
"87971305279435046006560819920316557095",
"275650088878199323001800702808375096711",
"292294616716354189752269794268413326876",
"163365381733194436475212737658983571714",
"139255530397771255543665113946163250862",
"182073638724628745137840945379745872462",
"326584334876548030855373492829635974766",
"194255819946018334726147898476474984797",
"164450489328617138029174602499680767604",
"145437598258664959572554369365399070640",
"58881896823431707292167323449224034453",
"117832365473264500641456967722853046306",
"159303696373517381015440222508969721817",
"19760747541694004641157117612052218578",
"10768748220155482257105727086522988375",
"204853999275054009564042473019711389278",
"252396642093016721149902365240503141165",
"135542046021513672325480595588393135394",
"315101605510673997881292352190691816588",
"242733665977612320734355086203765194005",
"319482113244192561895686415145998328119",
"30498606620617462232397781687587332847",
"88761330223596960100392546532211681546",
"171281299000785236061172800662274500101",
"147354627116833693901021319189994319683",
"265893988410740859329131497304054990021",
"62287146342412726475529638825285531063",
"338712614571987569838648373027062065324",
"145032528973689612650650712654237437401",
"250011700330435870855871489403755647794",
"227730518931607788811823956808511157273",
"185312871574752803145575565271116447095",
"191826134983062586150420225873256252463",
"115534871586070164162709125307173699063",
"335528015498963243444019079358375282240",
"279730781635477790437949619597045379378",
"109737206782103902111677266792327873661",
"20527854474629802414779175344084589668",
"299545391455674839886733680033055351990",
"199357064873301305121121000446514902089",
"330205919818588156467428900844040088088",
"11234731131518516329775359290312815150",
"179647314868574948020522081991339040031",
"65576425580611935832875174569441858020",
"330756278780996592916995374785989116017",
"203498453611343891025459805467596046777",
"17663525895886817912742609630424530563"
]
},
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13111.json"