Crash and Denial of Service Vulnerability in GoAhead Web Server
CVE-2024-3186

5.3MEDIUM

Key Information:

Vendor: Embedthis
Status: Goahead
Vendor: CVE Published:; 17 October 2024

What is CVE-2024-3186?

CWE-476 NULL Pointer Dereference vulnerability in the evalExpr() function of GoAhead Web Server (version <= 6.0.0) when compiled with the ME_GOAHEAD_JAVASCRIPT flag. This vulnerability allows a remote attacker with the privileges to modify JavaScript template (JST) files to trigger a crash and cause a Denial of Service (DoS) by providing malicious templates.

Affected Version(s)

GoAhead 0 <= 6.0.0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 17, 2024
Vulnerability Reserved
Apr 2, 2024

Credit

Diego Zaffaroni of Nozomi Networks found this bug during a security research activity.

Embedthis

What is CVE-2024-3186?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit