Denial of Service : Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 146377 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.144328

Kategorie: Denial of Service

Titel: Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability

Zusammenfassung: Cherokee Web Server is prone to a denial of service (DoS); vulnerability.

Beschreibung: Summary:
Cherokee Web Server is prone to a denial of service (DoS)
vulnerability.

Vulnerability Insight:
Cherokee is affected by a DoS due to NULL pointer dereferences.

A remote unauthenticated attacker can crash the server by sending an HTTP request to protected
resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add
call within cherokee_validator_parse_basic or cherokee_validator_parse_digest.

Vulnerability Impact:
An unauthenticated attacker may crash the server.

Affected Software/OS:
Cherokee Web Server through versions 0.4.27 to 1.2.104.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.

Possible mitigations:

- Extract the source code patch from the referenced GitHub pull request and rebuild the software
with the patch applied

- Rebuild the software from the 'master' development branch available in the GitHub repository

Notes:

- Last 'official' release 1.2.104 was done by the vendor in 2014 (see Git commit
1824487b7af0724ae42ef564b82b106c65fc0b31) and doesn't include the fix for this vulnerability

- Please create an override for this result if only the source code patch has been applied, the
product was build from the development branch or if the target host is running Mageia

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2020-12845
https://security.gentoo.org/glsa/202012-09
http://cherokee-project.com/downloads.html
https://github.com/cherokee/webserver/issues/1242
https://github.com/cherokee/webserver/releases

Copyright Copyright (C) 2020 Greenbone AG

Dies ist nur einer von 146377 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.144328
Kategorie:	Denial of Service
Titel:	Cherokee Web Server 0.4.27 <= 1.2.104 DoS Vulnerability
Zusammenfassung:	Cherokee Web Server is prone to a denial of service (DoS); vulnerability.
Beschreibung:	Summary: Cherokee Web Server is prone to a denial of service (DoS) vulnerability. Vulnerability Insight: Cherokee is affected by a DoS due to NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest. Vulnerability Impact: An unauthenticated attacker may crash the server. Affected Software/OS: Cherokee Web Server through versions 0.4.27 to 1.2.104. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. Possible mitigations: - Extract the source code patch from the referenced GitHub pull request and rebuild the software with the patch applied - Rebuild the software from the 'master' development branch available in the GitHub repository Notes: - Last 'official' release 1.2.104 was done by the vendor in 2014 (see Git commit 1824487b7af0724ae42ef564b82b106c65fc0b31) and doesn't include the fix for this vulnerability - Please create an override for this result if only the source code patch has been applied, the product was build from the development branch or if the target host is running Mageia CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2020-12845 https://security.gentoo.org/glsa/202012-09 http://cherokee-project.com/downloads.html https://github.com/cherokee/webserver/issues/1242 https://github.com/cherokee/webserver/releases
Copyright	Copyright (C) 2020 Greenbone AG