M-Files has disputed this CVE. The described overlapping ranges problem appears on Microsoft’s Internet Information Server regardless it having an M-Files Web application or not when serving static content such as image files. Problem is reproducible on other IIS servers if one requests for a static image file and forges overlapping range header.
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application.
Risk level: Medium
M-Files Classic Web
Range behavior observable only with static content directly served by the underlying web server.
“M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.”
Date issued: 2021-12-03