Details of VAR-202110-0318

ID

VAR-202110-0318

CVE

CVE-2021-42342

TITLE

GoAhead Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013755

DESCRIPTION

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts. GoAhead Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. GoAhead is an open source small embedded Web server from Embedthis Software in the United States. GoAhead has a file upload vulnerability, which stems from incomplete filtering in the file upload filter

Trust: 1.8

sources: NVD: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // VULHUB: VHN-403427 // VULMON: CVE-2021-42342

AFFECTED PRODUCTS

vendor:	embedthis	model:	goahead	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	lte	version:	4.1.3	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	lt	version:	5.1.5	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	gte	version:	5.0.0	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	lt	version:	4.x 5.x	Trust: 0.8
vendor:	embedthis	model:	goahead	scope:	eq	version:	-	Trust: 0.8
vendor:	embedthis	model:	goahead	scope:	eq	version:	5.1.5	Trust: 0.8

sources: JVNDB: JVNDB-2021-013755 // NVD: CVE-2021-42342

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-42342
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-42342
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202110-1020
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-403427
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-42342
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-42342
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-403427
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-42342
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-42342
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

PROBLEMTYPE DATA

problemtype:	CWE-434	Trust: 1.1
problemtype:	Unlimited uploads of dangerous types of files (CWE-434) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-403427 // JVNDB: JVNDB-2021-013755 // NVD: CVE-2021-42342

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1020

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-1020

PATCH

title:	Upload form vars bypass CGI prefixing. #305	url:	https://github.com/embedthis/goahead/issues/305	Trust: 0.8
title:	CVE-2021-42342	url:	https://github.com/Mr-xn/CVE-2021-42342	Trust: 0.1
title:	goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-	url:	https://github.com/kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-	Trust: 0.1

sources: VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755

EXTERNAL IDS

db:	NVD	id:	CVE-2021-42342	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-013755	Trust: 0.8
db:	CNNVD	id:	CNNVD-202110-1020	Trust: 0.6
db:	CNVD	id:	CNVD-2021-102061	Trust: 0.1
db:	VULHUB	id:	VHN-403427	Trust: 0.1
db:	VULMON	id:	CVE-2021-42342	Trust: 0.1

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

REFERENCES

url:	https://github.com/embedthis/goahead/issues/305	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-42342	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/434.html	Trust: 0.1
url:	https://github.com/mr-xn/cve-2021-42342	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

SOURCES

db:	VULHUB	id:	VHN-403427
db:	VULMON	id:	CVE-2021-42342
db:	JVNDB	id:	JVNDB-2021-013755
db:	CNNVD	id:	CNNVD-202110-1020
db:	NVD	id:	CVE-2021-42342

LAST UPDATE DATE

2024-08-14T15:17:02.347000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-403427	date:	2021-10-20T00:00:00
db:	VULMON	id:	CVE-2021-42342	date:	2021-10-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-013755	date:	2022-09-27T07:24:00
db:	CNNVD	id:	CNNVD-202110-1020	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2021-42342	date:	2021-10-20T17:35:15.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-403427	date:	2021-10-14T00:00:00
db:	VULMON	id:	CVE-2021-42342	date:	2021-10-14T00:00:00
db:	JVNDB	id:	JVNDB-2021-013755	date:	2022-09-27T00:00:00
db:	CNNVD	id:	CNNVD-202110-1020	date:	2021-10-14T00:00:00
db:	NVD	id:	CVE-2021-42342	date:	2021-10-14T06:15:07.037