Goahead Versions <= 6.0.0 Vulnerable to Use After Free and Double Free Vulnerabilities

CVE-2024-3187

5.9MEDIUM

Key Information

Vendor: Embedthis
Status: Goahead
Vendor: CVE Published:; 17 October 2024

Summary

This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.

Affected Version(s)

GoAhead <= 6.0.0

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 17, 2024
Vulnerability Reserved.
Apr 2, 2024

Collectors

NVD DatabaseMitre Database

Credit

Diego Zaffaroni of Nozomi Networks found this bug during a security research activity.