Details of VAR-201808-0471

ID

VAR-201808-0471

CVE

CVE-2018-15505

TITLE

Embedthis GoAhead and Appweb In NULL Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-009303

DESCRIPTION

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 address. Embedthis GoAhead and Appweb for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Embedthis GoAhead and Appweb are both products of Embedthis Software in the United States. Embedthis GoAhead is an embedded Web server. Appweb is a fast and small web server, which is mainly used for embedded applications, devices and web services, and supports security defense strategies, digest authentication, virtual hosts, etc. There are security vulnerabilities in Embedthis GoAhead versions prior to 4.0. and Appweb versions prior to 7.0.2

Trust: 1.71

sources: NVD: CVE-2018-15505 // JVNDB: JVNDB-2018-009303 // VULHUB: VHN-125771

AFFECTED PRODUCTS

vendor:	embedthis	model:	appweb	scope:	lt	version:	7.0.2	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	15.1x53	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	17.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	17.3	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	17.4	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	18.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	15.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	12.3x48	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	15.1x49	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	16.2	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	16.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	12.3	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	lt	version:	4.0.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	17.2	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	eq	version:	4.0.1	Trust: 0.8
vendor:	embedthis	model:	appweb	scope:	-	version:	-	Trust: 0.8
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.4	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.6	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.5	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.3	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.1	Trust: 0.6
vendor:	embedthis	model:	appweb	scope:	eq	version:	4.6.5	Trust: 0.6
vendor:	embedthis	model:	appweb	scope:	eq	version:	5.2.0	Trust: 0.6
vendor:	embedthis	model:	appweb	scope:	eq	version:	5.1.0	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.0.0	Trust: 0.6
vendor:	embedthis	model:	goahead	scope:	eq	version:	3.3.2	Trust: 0.6

sources: JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-15505
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-15505
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201808-525
value:	HIGH
Trust: 0.6
VULHUB:	VHN-125771
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-15505
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-125771
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-15505
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2018-15505
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

PROBLEMTYPE DATA

problemtype:	CWE-476	Trust: 1.1
problemtype:	NULL Pointer dereference (CWE-476) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // NVD: CVE-2018-15505

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-525

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-525

PATCH

title:	NULL dereference for invalid Host and If-Modified-* headers #605 GitHub	url:	https://github.com/embedthis/appweb/commit/16e6979c82297d5fc4f8661e7ada975f51e4dfa9	Trust: 0.8
title:	Embedthis GoAhead and Appweb Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=84128	Trust: 0.6

sources: JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525

EXTERNAL IDS

db:	NVD	id:	CVE-2018-15505	Trust: 3.3
db:	JVN	id:	JVNVU92569237	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-009303	Trust: 0.8
db:	CNNVD	id:	CNNVD-201808-525	Trust: 0.7
db:	JUNIPER	id:	JSA10948	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2562	Trust: 0.6
db:	VULHUB	id:	VHN-125771	Trust: 0.1

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

REFERENCES

url:	https://github.com/embedthis/appweb/commit/16e6979c82297d5fc4f8661e7ada975f51e4dfa9	Trust: 1.7
url:	https://github.com/embedthis/appweb/issues/605	Trust: 1.7
url:	https://github.com/embedthis/goahead/issues/264	Trust: 1.7
url:	https://supportportal.juniper.net/s/article/2021-07-security-bulletin-junos-os-multiple-j-web-vulnerabilities-resolved?language=en_us	Trust: 1.6
url:	https://jvn.jp/vu/jvnvu92569237/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-15505	Trust: 0.8
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10948	Trust: 0.6
url:	https://vigilance.fr/vulnerability/embedthis-goahead-appweb-null-pointer-dereference-via-host-header-29747	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2562/	Trust: 0.6

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

SOURCES

db:	VULHUB	id:	VHN-125771
db:	JVNDB	id:	JVNDB-2018-009303
db:	CNNVD	id:	CNNVD-201808-525
db:	NVD	id:	CVE-2018-15505

LAST UPDATE DATE

2024-08-14T13:13:31.091000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-125771	date:	2018-10-19T00:00:00
db:	JVNDB	id:	JVNDB-2018-009303	date:	2023-05-11T08:50:00
db:	CNNVD	id:	CNNVD-201808-525	date:	2023-06-14T00:00:00
db:	NVD	id:	CVE-2018-15505	date:	2023-06-22T19:49:59

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-125771	date:	2018-08-18T00:00:00
db:	JVNDB	id:	JVNDB-2018-009303	date:	2018-11-14T00:00:00
db:	CNNVD	id:	CNNVD-201808-525	date:	2018-08-20T00:00:00
db:	NVD	id:	CVE-2018-15505	date:	2018-08-18T03:29:00.457