CVE-2021-37253: Denial of Service

DESCRIPTION:

M-Files has disputed this CVE. The described overlapping ranges problem appears on Microsoft's Internet Information Server regardless it having an M-Files Web application or not when serving static content such as image files. Problem is reproducible on other IIS servers if one requests for a static image file and forges overlapping range header.

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application.

Risk level: Medium

AFFECTED PRODUCTS:

M-Files Classic Web

MORE INFORMATION:

Range behavior observable only with static content directly served by the underlying web server.

ACKNOWLEDGEMENT

“M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.”

---

Date issued: 2021-12-03