ID

VAR-201808-0471


CVE

CVE-2018-15505


TITLE

Embedthis GoAhead  and  Appweb  In  NULL  Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-009303

DESCRIPTION

An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 address. Embedthis GoAhead and Appweb for, NULL There is a vulnerability in pointer dereference.Service operation interruption (DoS) It may be in a state. Embedthis GoAhead and Appweb are both products of Embedthis Software in the United States. Embedthis GoAhead is an embedded Web server. Appweb is a fast and small web server, which is mainly used for embedded applications, devices and web services, and supports security defense strategies, digest authentication, virtual hosts, etc. There are security vulnerabilities in Embedthis GoAhead versions prior to 4.0. and Appweb versions prior to 7.0.2

Trust: 1.71

sources: NVD: CVE-2018-15505 // JVNDB: JVNDB-2018-009303 // VULHUB: VHN-125771

AFFECTED PRODUCTS

vendor:junipermodel:junosscope:eqversion:15.1x49

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1x53

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1

Trust: 1.0

vendor:embedthismodel:goaheadscope:ltversion:4.0.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3

Trust: 1.0

vendor:embedthismodel:appwebscope:ltversion:7.0.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3x48

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.1

Trust: 1.0

vendor:embedthismodel:goaheadscope:eqversion:4.0.1

Trust: 0.8

vendor:embedthismodel:appwebscope: - version: -

Trust: 0.8

vendor:embedthismodel:goaheadscope:eqversion:3.3.4

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.6

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.5

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.3

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.1

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:4.6.5

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:5.2.0

Trust: 0.6

vendor:embedthismodel:appwebscope:eqversion:5.1.0

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.0.0

Trust: 0.6

vendor:embedthismodel:goaheadscope:eqversion:3.3.2

Trust: 0.6

sources: JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15505
value: HIGH

Trust: 1.0

NVD: CVE-2018-15505
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201808-525
value: HIGH

Trust: 0.6

VULHUB: VHN-125771
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15505
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125771
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15505
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2018-15505
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

PROBLEMTYPE DATA

problemtype:CWE-476

Trust: 1.1

problemtype:NULL Pointer dereference (CWE-476) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // NVD: CVE-2018-15505

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201808-525

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201808-525

PATCH

title:NULL dereference for invalid Host and If-Modified-* headers #605 GitHuburl:https://github.com/embedthis/appweb/commit/16e6979c82297d5fc4f8661e7ada975f51e4dfa9

Trust: 0.8

title:Embedthis GoAhead and Appweb Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=84128

Trust: 0.6

sources: JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525

EXTERNAL IDS

db:NVDid:CVE-2018-15505

Trust: 3.3

db:JVNid:JVNVU92569237

Trust: 0.8

db:JVNDBid:JVNDB-2018-009303

Trust: 0.8

db:CNNVDid:CNNVD-201808-525

Trust: 0.7

db:JUNIPERid:JSA10948

Trust: 0.6

db:AUSCERTid:ESB-2019.2562

Trust: 0.6

db:VULHUBid:VHN-125771

Trust: 0.1

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

REFERENCES

url:https://github.com/embedthis/appweb/commit/16e6979c82297d5fc4f8661e7ada975f51e4dfa9

Trust: 1.7

url:https://github.com/embedthis/appweb/issues/605

Trust: 1.7

url:https://github.com/embedthis/goahead/issues/264

Trust: 1.7

url:https://supportportal.juniper.net/s/article/2021-07-security-bulletin-junos-os-multiple-j-web-vulnerabilities-resolved?language=en_us

Trust: 1.6

url:https://jvn.jp/vu/jvnvu92569237/index.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-15505

Trust: 0.8

url:http://kb.juniper.net/infocenter/index?page=content&id=jsa10948

Trust: 0.6

url:https://vigilance.fr/vulnerability/embedthis-goahead-appweb-null-pointer-dereference-via-host-header-29747

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2562/

Trust: 0.6

sources: VULHUB: VHN-125771 // JVNDB: JVNDB-2018-009303 // CNNVD: CNNVD-201808-525 // NVD: CVE-2018-15505

SOURCES

db:VULHUBid:VHN-125771
db:JVNDBid:JVNDB-2018-009303
db:CNNVDid:CNNVD-201808-525
db:NVDid:CVE-2018-15505

LAST UPDATE DATE

2024-11-23T20:32:59.811000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-125771date:2018-10-19T00:00:00
db:JVNDBid:JVNDB-2018-009303date:2023-05-11T08:50:00
db:CNNVDid:CNNVD-201808-525date:2023-06-14T00:00:00
db:NVDid:CVE-2018-15505date:2024-11-21T03:50:57.637

SOURCES RELEASE DATE

db:VULHUBid:VHN-125771date:2018-08-18T00:00:00
db:JVNDBid:JVNDB-2018-009303date:2018-11-14T00:00:00
db:CNNVDid:CNNVD-201808-525date:2018-08-20T00:00:00
db:NVDid:CVE-2018-15505date:2018-08-18T03:29:00.457