ID

VAR-202110-0318


CVE

CVE-2021-42342


TITLE

GoAhead  Vulnerability in unlimited upload of dangerous types of files in

Trust: 0.8

sources: JVNDB: JVNDB-2021-013755

DESCRIPTION

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts. GoAhead Contains a vulnerability related to unlimited uploads of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. GoAhead is an open source small embedded Web server from Embedthis Software in the United States. GoAhead has a file upload vulnerability, which stems from incomplete filtering in the file upload filter

Trust: 1.8

sources: NVD: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // VULHUB: VHN-403427 // VULMON: CVE-2021-42342

AFFECTED PRODUCTS

vendor:embedthismodel:goaheadscope:gteversion:4.0.0

Trust: 1.0

vendor:embedthismodel:goaheadscope:lteversion:4.1.3

Trust: 1.0

vendor:embedthismodel:goaheadscope:ltversion:5.1.5

Trust: 1.0

vendor:embedthismodel:goaheadscope:gteversion:5.0.0

Trust: 1.0

vendor:embedthismodel:goaheadscope:ltversion:4.x 5.x

Trust: 0.8

vendor:embedthismodel:goaheadscope:eqversion: -

Trust: 0.8

vendor:embedthismodel:goaheadscope:eqversion:5.1.5

Trust: 0.8

sources: JVNDB: JVNDB-2021-013755 // NVD: CVE-2021-42342

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-42342
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-42342
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202110-1020
value: CRITICAL

Trust: 0.6

VULHUB: VHN-403427
value: HIGH

Trust: 0.1

VULMON: CVE-2021-42342
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-42342
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-403427
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-42342
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-42342
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

PROBLEMTYPE DATA

problemtype:CWE-434

Trust: 1.1

problemtype:Unlimited uploads of dangerous types of files (CWE-434) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-403427 // JVNDB: JVNDB-2021-013755 // NVD: CVE-2021-42342

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1020

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202110-1020

PATCH

title:Upload form vars bypass CGI prefixing. #305url:https://github.com/embedthis/goahead/issues/305

Trust: 0.8

title:CVE-2021-42342url:https://github.com/Mr-xn/CVE-2021-42342

Trust: 0.1

title:goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-url:https://github.com/kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-

Trust: 0.1

sources: VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755

EXTERNAL IDS

db:NVDid:CVE-2021-42342

Trust: 3.4

db:JVNDBid:JVNDB-2021-013755

Trust: 0.8

db:CNNVDid:CNNVD-202110-1020

Trust: 0.6

db:CNVDid:CNVD-2021-102061

Trust: 0.1

db:VULHUBid:VHN-403427

Trust: 0.1

db:VULMONid:CVE-2021-42342

Trust: 0.1

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

REFERENCES

url:https://github.com/embedthis/goahead/issues/305

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-42342

Trust: 0.8

url:https://cwe.mitre.org/data/definitions/434.html

Trust: 0.1

url:https://github.com/mr-xn/cve-2021-42342

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-403427 // VULMON: CVE-2021-42342 // JVNDB: JVNDB-2021-013755 // CNNVD: CNNVD-202110-1020 // NVD: CVE-2021-42342

SOURCES

db:VULHUBid:VHN-403427
db:VULMONid:CVE-2021-42342
db:JVNDBid:JVNDB-2021-013755
db:CNNVDid:CNNVD-202110-1020
db:NVDid:CVE-2021-42342

LAST UPDATE DATE

2024-08-14T15:17:02.347000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-403427date:2021-10-20T00:00:00
db:VULMONid:CVE-2021-42342date:2021-10-20T00:00:00
db:JVNDBid:JVNDB-2021-013755date:2022-09-27T07:24:00
db:CNNVDid:CNNVD-202110-1020date:2021-10-21T00:00:00
db:NVDid:CVE-2021-42342date:2021-10-20T17:35:15.837

SOURCES RELEASE DATE

db:VULHUBid:VHN-403427date:2021-10-14T00:00:00
db:VULMONid:CVE-2021-42342date:2021-10-14T00:00:00
db:JVNDBid:JVNDB-2021-013755date:2022-09-27T00:00:00
db:CNNVDid:CNNVD-202110-1020date:2021-10-14T00:00:00
db:NVDid:CVE-2021-42342date:2021-10-14T06:15:07.037