{"id":"CVE-2020-13432","details":"rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers.","modified":"2026-04-02T02:15:06.147418Z","published":"2020-06-08T18:15:11.710Z","references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2021/Apr/12"},{"type":"ADVISORY","url":"https://www.rejetto.com/hfs/?f=wn"},{"type":"FIX","url":"https://github.com/rejetto/hfs2/commit/b8ebfc4e22948e1a61506cd66e397b61ea5ea5de"},{"type":"EVIDENCE","url":"https://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-Buffer-Overflow.html"},{"type":"EVIDENCE","url":"http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/157980/HFS-Http-File-Server-2.3m-Build-300-Buffer-Overflow.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2020/Jun/13"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rejetto/hfs2","events":[{"introduced":"0"},{"fixed":"b8ebfc4e22948e1a61506cd66e397b61ea5ea5de"}]},{"type":"GIT","repo":"https://github.com/rejetto/hfs2","events":[{"introduced":"0"},{"fixed":"b8ebfc4e22948e1a61506cd66e397b61ea5ea5de"}]}],"versions":["2.4","v2.4-alpha01","v2.4-alpha02","v2.4-alpha03","v2.4-alpha04","v2.4-alpha05","v2.4-alpha06","v2.4-alpha07","v2.4-alpha08","v2.4-alpha09","v2.4-alpha10","v2.4-alpha11","v2.4-beta01"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.3m"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13432.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}