Lucene search

Gentoo FoundationGLSA-200411-02

HistoryNov 01, 2004 - 12:00 a.m.

Cherokee: Format string vulnerability

2004-11-0100:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.018

Percentile

88.1%

JSON

Background

Cherokee is an extra-light web server.

Description

Florian Schilhabel from the Gentoo Linux Security Audit Team found a format string vulnerability in the cherokee_logger_ncsa_write_string() function.

Impact

Using a specially crafted URL when authenticating via auth_pam, a malicious user may be able to crash the server or execute arbitrary code on the target machine with permissions of the user running Cherokee.

Workaround

There is no known workaround at this time.

Resolution

All Cherokee users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-servers/cherokee-0.4.17.1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/cherokee<= 0.4.17UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	www-servers/cherokee	<= 0.4.17	UNKNOWN

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.018

Percentile

88.1%

JSON

Related for GLSA-200411-02