CVE-2023-40518 - Vulnerability Details

Vendors	Products
Litespeedtech	Openlitespeed

Link	Providers
https://openlitespeed.org/release-log/version-1-7-x/
https://www.litespeedtech.com/products/litespeed-web-server/release-log

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-40518", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-09T15:47:00.349Z", "dateReserved": "2023-08-14T00:00:00", "datePublished": "2023-08-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log"}, {"url": "https://openlitespeed.org/release-log/version-1-7-x/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:49.291Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log", "tags": ["x_transferred"]}, {"url": "https://openlitespeed.org/release-log/version-1-7-x/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-09T15:46:37.683534Z", "id": "CVE-2023-40518", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T15:47:00.349Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

state : PUBLISHED (string)

cveId : CVE-2023-40518 (string)

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

dateUpdated : 2024-10-09T15:47:00.349Z (string)

dateReserved : 2023-08-14T00:00:00 (string)

datePublished : 2023-08-14T00:00:00 (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

dateUpdated : 2023-08-14T00:00:00 (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers. (string)

}

]

affected : [ »

0 : { »

vendor : n/a (string)

product : n/a (string)

versions : [ »

0 : { »

version : n/a (string)

status : affected (string)

}

]

}

]

references : [ »

0 : { »

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

}

1 : { »

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

type : text (string)

lang : en (string)

description : n/a (string)

}

]

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T18:38:49.291Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

1 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2024-10-09T15:46:37.683534Z (string)

id : CVE-2023-40518 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-10-09T15:47:00.349Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log", "tags": ["x_transferred"]}, {"url": "https://openlitespeed.org/release-log/version-1-7-x/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:49.291Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-09T15:46:37.683534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T15:46:54.831Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log"}, {"url": "https://openlitespeed.org/release-log/version-1-7-x/"}], "descriptions": [{"lang": "en", "value": "LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2023-40518", "state": "PUBLISHED", "dateUpdated": "2024-10-09T15:47:00.349Z", "dateReserved": "2023-08-14T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-08-14T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T18:38:49.291Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2023-40518 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-10-09T15:46:37.683534Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-10-09T15:46:54.831Z (string)

}

]

cna : { »

affected : [ »

0 : { »

vendor : n/a (string)

product : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

references : [ »

0 : { »

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

}

1 : { »

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : text (string)

description : n/a (string)

}

]

}

]

providerMetadata : { »

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

dateUpdated : 2023-08-14T00:00:00 (string)

}

cveMetadata : { »

cveId : CVE-2023-40518 (string)

state : PUBLISHED (string)

dateUpdated : 2024-10-09T15:47:00.349Z (string)

dateReserved : 2023-08-14T00:00:00 (string)

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

datePublished : 2023-08-14T00:00:00 (string)

assignerShortName : mitre (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "167DAFC3-54C7-448A-A205-86FA8EB0EE09", "versionEndExcluding": "1.7.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers."}], "id": "CVE-2023-40518", "lastModified": "2024-11-21T08:19:38.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-14T22:15:14.327", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://openlitespeed.org/release-log/version-1-7-x/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://openlitespeed.org/release-log/version-1-7-x/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://www.litespeedtech.com/products/litespeed-web-server/release-log"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 167DAFC3-54C7-448A-A205-86FA8EB0EE09 (string)

versionEndExcluding : 1.7.18 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : LiteSpeed OpenLiteSpeed before 1.7.18 does not strictly validate HTTP request headers. (string)

}

]

id : CVE-2023-40518 (string)

lastModified : 2024-11-21T08:19:38.907 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2023-08-14T22:15:14.327 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

}

2 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://openlitespeed.org/release-log/version-1-7-x/ (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://www.litespeedtech.com/products/litespeed-web-server/release-log (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : NVD-CWE-noinfo (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object