CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-41615

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1370%
EPSS Percentile35.01th
Published2022年8月8日
Last Modified2024年11月21日

Vulnerability Description

websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected.

Affected Platforms (CPE)

📦
Embedthis

Goahead

= 2.1.8

References & Advisories

🔗 https://devel.rtems.org/browser/rtems/cpukit/httpd/websda.c?rev=c1427d2758079f0e9dd6a8de1662d78e0d6bc4ca
🔗 https://github.com/trenta3/goahead-versions/blob/master/2.1.8/230165webs218.tar.gz?raw=true
🔗 https://devel.rtems.org/browser/rtems/cpukit/httpd/websda.c?rev=c1427d2758079f0e9dd6a8de1662d78e0d6bc4ca
🔗 https://github.com/trenta3/goahead-versions/blob/master/2.1.8/230165webs218.tar.gz?raw=true

相关漏洞威胁

CVE-2015-793710.0

Stack-based buffer overflow in the GoAhead Web Server on Schneider Electric Modicon M340 PLC BMXNOx and BMXPx devices allows remot...

CVE-2019-153119.8

An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is Zolo Halo LAN remote code execution. The Zolo Hal...

CVE-2019-50969.8

An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web ...

CVE-2021-423429.8

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI s...