CVE-2024-20380 HIGH

CVE-2024-20380: ClamAV HTML Parser Denial of Service Vulnerability

Vendor Cisco
Product ClamAV
Weakness CWE-475
Published April 18, 2024
Last update August 1, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Key dates

02Disclosure timeline

April 18, 2024 CVE published
August 1, 2024 Record updated