An integer underflow vulnerability exists in the HTTP server PUT request functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.This vulnerability affects the NetX Duo Component HTTP Server implementation which can be found in x-cube-azrtos-f7MiddlewaresSTnetxduoaddonshttpnxd_http_server.c
Weakness
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| X-cube-azrt-h7rs | St | 1.0.0 (including) | 1.0.0 (including) |
| X-cube-azrtos-f4 | St | 1.1.0 (including) | 1.1.0 (including) |
| X-cube-azrtos-f7 | St | 1.1.0 (including) | 1.1.0 (including) |
| X-cube-azrtos-g0 | St | 1.1.0 (including) | 1.1.0 (including) |
| X-cube-azrtos-g4 | St | 2.0.0 (including) | 2.0.0 (including) |
| X-cube-azrtos-h7 | St | 3.3.0 (including) | 3.3.0 (including) |
| X-cube-azrtos-l4 | St | 2.0.0 (including) | 2.0.0 (including) |
| X-cube-azrtos-l5 | St | 2.0.0 (including) | 2.0.0 (including) |
| X-cube-azrtos-wb | St | 2.0.0 (including) | 2.0.0 (including) |
| X-cube-azrtos-wl | St | 2.0.0 (including) | 2.0.0 (including) |