ID

VAR-201808-0470


CVE

CVE-2018-15504


TITLE

Embedthis GoAhead  and  Appweb  In  NULL  Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-009304

DESCRIPTION

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11. Embedthis GoAhead and Appweb for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Embedthis GoAhead and Appweb are both products of Embedthis Software in the United States. Embedthis GoAhead is an embedded Web server. Appweb is a fast and small web server, which is mainly used for embedded applications, devices and web services, and supports security defense strategies, digest authentication, virtual hosts, etc. Embedthis GoAhead versions prior to 4.0.1 and Appweb versions prior to 7.0.2 have a security vulnerability

Trust: 1.71

sources: NVD: CVE-2018-15504 // JVNDB: JVNDB-2018-009304 // VULHUB: VHN-125770

AFFECTED PRODUCTS

vendor:embedthismodel:appwebscope:ltversion:7.0.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.1

Trust: 1.0

vendor:embedthismodel:goaheadscope:ltversion:4.0.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1x53

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3x48

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1x49

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.1x46

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3

Trust: 1.0

vendor:embedthismodel:goaheadscope:eqversion:4.0.1

Trust: 0.8

vendor:embedthismodel:appwebscope: - version: -

Trust: 0.8

vendor:embedthismodel:goaheadscope:eqversion:3.3.4

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.5

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.3

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.1

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:4.6.5

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:5.2.0

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:5.1.0

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:5.0.0

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.0.0

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.2

Trust: 0.6

sources: JVNDB: JVNDB-2018-009304 // CNNVD: CNNVD-201808-526 // NVD: CVE-2018-15504

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15504
value: HIGH

Trust: 1.0

NVD: CVE-2018-15504
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201808-526
value: HIGH

Trust: 0.6

VULHUB: VHN-125770
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15504
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125770
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15504
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2018-15504
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-125770 // JVNDB: JVNDB-2018-009304 // CNNVD: CNNVD-201808-526 // NVD: CVE-2018-15504

PROBLEMTYPE DATA

problemtype:CWE-476

Trust: 1.1

problemtype:NULL Pointer dereference (CWE-476) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-125770 // JVNDB: JVNDB-2018-009304 // NVD: CVE-2018-15504

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-526

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-526

PATCH

title:NULL dereference for invalid Host and If-Modified-* headers #605 GitHuburl:https://github.com/embedthis/appweb/commit/66067ae6d1fa08b37a270e7dc1821df52ed2daef

Trust: 0.8

title:Embedthis GoAhead and Appweb Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=84129

Trust: 0.6

sources: JVNDB: JVNDB-2018-009304 // CNNVD: CNNVD-201808-526

EXTERNAL IDS

db:NVDid:CVE-2018-15504

Trust: 3.3

db:JVNid:JVNVU92569237

Trust: 0.8

db:JVNDBid:JVNDB-2018-009304

Trust: 0.8

db:CNNVDid:CNNVD-201808-526

Trust: 0.7

db:JUNIPERid:JSA10948

Trust: 0.6

db:AUSCERTid:ESB-2019.2562

Trust: 0.6

db:VULHUBid:VHN-125770

Trust: 0.1

sources: VULHUB: VHN-125770 // JVNDB: JVNDB-2018-009304 // CNNVD: CNNVD-201808-526 // NVD: CVE-2018-15504

REFERENCES

url:https://github.com/embedthis/appweb/commit/66067ae6d1fa08b37a270e7dc1821df52ed2daef

Trust: 1.7

url:https://github.com/embedthis/appweb/issues/605

Trust: 1.7

url:https://github.com/embedthis/goahead/issues/264

Trust: 1.7

url:https://supportportal.juniper.net/s/article/2019-07-security-bulletin-junos-os-j-web-denial-of-service-due-to-multiple-vulnerabilities-in-embedthis-appweb-server

Trust: 1.6

url:https://supportportal.juniper.net/s/article/2021-07-security-bulletin-junos-os-multiple-j-web-vulnerabilities-resolved

Trust: 1.6

url:https://jvn.jp/vu/jvnvu92569237/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-15504

Trust: 0.8

url:http://kb.juniper.net/infocenter/index?page=content&id=jsa10948

Trust: 0.6

url:https://vigilance.fr/vulnerability/embedthis-goahead-appweb-null-pointer-dereference-via-http-request-29746

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2562/

Trust: 0.6

sources: VULHUB: VHN-125770 // JVNDB: JVNDB-2018-009304 // CNNVD: CNNVD-201808-526 // NVD: CVE-2018-15504

SOURCES

db:VULHUBid:VHN-125770
db:JVNDBid:JVNDB-2018-009304
db:CNNVDid:CNNVD-201808-526
db:NVDid:CVE-2018-15504

LAST UPDATE DATE

2024-08-14T13:05:26.762000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-125770date:2018-10-19T00:00:00
db:JVNDBid:JVNDB-2018-009304date:2023-05-11T08:50:00
db:CNNVDid:CNNVD-201808-526date:2023-06-14T00:00:00
db:NVDid:CVE-2018-15504date:2023-06-22T19:50:47.797

SOURCES RELEASE DATE

db:VULHUBid:VHN-125770date:2018-08-18T00:00:00
db:JVNDBid:JVNDB-2018-009304date:2018-11-14T00:00:00
db:CNNVDid:CNNVD-201808-526date:2018-08-20T00:00:00
db:NVDid:CVE-2018-15504date:2018-08-18T03:29:00.237