Denial of Service : Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.144328

Categoría: Denial of Service

Título: Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability

Resumen: Cherokee Web Server is prone to a denial of service (DoS); vulnerability.

Descripción: Summary:
Cherokee Web Server is prone to a denial of service (DoS)
vulnerability.

Vulnerability Insight:
Cherokee is affected by a DoS due to NULL pointer dereferences.

A remote unauthenticated attacker can crash the server by sending an HTTP request to protected
resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add
call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.

Vulnerability Impact:
An unauthenticated attacker may crash the server.

Affected Software/OS:
Cherokee Web Server through versions 0.4.27 to 1.2.104.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.

Possible mitigations:

- Extract the source code patch from the referenced GitHub pull request and rebuild the software
with the patch applied

- Rebuild the software from the 'master' development branch available in the GitHub repository

Notes:

- Last 'official' release 1.2.104 was done by the vendor in 2014 (see Git commit
1824487b7af0724ae42ef564b82b106c65fc0b31) and doesn't include the fix for this vulnerability

- Please create an override for this result if only the source code patch has been applied, the
product was build from the development branch or if the target host is running Mageia

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2020-12845
https://security.gentoo.org/glsa/202012-09
http://cherokee-project.com/downloads.html
https://github.com/cherokee/webserver/issues/1242
https://github.com/cherokee/webserver/releases

Copyright Copyright (C) 2020 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.144328
Categoría:	Denial of Service
Título:	Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability
Resumen:	Cherokee Web Server is prone to a denial of service (DoS); vulnerability.
Descripción:	Summary: Cherokee Web Server is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: Cherokee is affected by a DoS due to NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest. Vulnerability Impact: An unauthenticated attacker may crash the server. Affected Software/OS: Cherokee Web Server through versions 0.4.27 to 1.2.104. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. Possible mitigations: - Extract the source code patch from the referenced GitHub pull request and rebuild the software with the patch applied - Rebuild the software from the 'master' development branch available in the GitHub repository Notes: - Last 'official' release 1.2.104 was done by the vendor in 2014 (see Git commit 1824487b7af0724ae42ef564b82b106c65fc0b31) and doesn't include the fix for this vulnerability - Please create an override for this result if only the source code patch has been applied, the product was build from the development branch or if the target host is running Mageia CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2020-12845 https://security.gentoo.org/glsa/202012-09 http://cherokee-project.com/downloads.html https://github.com/cherokee/webserver/issues/1242 https://github.com/cherokee/webserver/releases
Copyright	Copyright (C) 2020 Greenbone AG