Lucene search

[email protected]CVE-2019-5097

HistoryDec 03, 2019 - 10:15 p.m.

CVE-2019-5097

2019-12-0322:15:14

CWE-835

[email protected]

web.nvd.nist.gov

cve-2019-5097

denial of service

multi-part form data

goahead web server

http request

security vulnerability

unauthenticated access

infinite loop

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.273 Low

EPSS

Percentile

96.8%

JSON

A denial-of-service vulnerability exists in the processing of multi-part/form-data requests in the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.

Affected configurations

Vulners

NVD

Node

embedthisgoaheadRange≤v3.6.5

VendorProductVersionCPE
embedthisgoahead*cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
embedthis	goahead	*	cpe:2.3:a:embedthis:goahead::::::::

CNA Affected

[
  {
    "product": "EmbedThis",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "EmbedThis GoAhead Web Server v5.0.1 EmbedThis GoAhead Web Server v4.1.1 EmbedThis GoAhead Web Server v3.6.5"
      }
    ]
  }
]