CVE-2014-9707 - Vulnerability Details - OpenCVE

EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.66123.

Key SSVC decision points have not yet been added.

Vendors	Products
Embedthis Subscribe	Goahead Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:embedthis:goahead:3.0.0:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.1:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.2:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.3:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.4:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.5:::::::*
	cpe:2.3:a:embedthis:goahead:3.3.6:::::::*
	cpe:2.3:a:embedthis:goahead:3.4.0:::::::*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html
http://seclists.org/fulldisclosure/2015/Mar/157
http://www.securityfocus.com/archive/1/535027/100/0/threaded
http://www.securitytracker.com/id/1032208
https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77
https://github.com/embedthis/goahead/issues/106

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-03-31T14:00:00

Updated: 2024-08-06T13:55:05.082Z

Reserved: 2015-03-23T00:00:00

Link: CVE-2014-9707

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-03-31T14:59:06.250

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-9707

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-17

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-11-24T00:00:00", "descriptions": [{"lang": "en", "value": "EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/embedthis/goahead/issues/106"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2015/Mar/157"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html"}, {"name": "1032208", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1032208"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/535027/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9707", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/embedthis/goahead/issues/106", "refsource": "CONFIRM", "url": "https://github.com/embedthis/goahead/issues/106"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2015/Mar/157"}, {"name": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77", "refsource": "CONFIRM", "url": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77"}, {"name": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html"}, {"name": "1032208", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032208"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/535027/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:55:05.082Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/embedthis/goahead/issues/106"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/Mar/157"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html"}, {"name": "1032208", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1032208"}, {"name": "20150328 Advisory: CVE-2014-9707: GoAhead Web Server 3.0.0 - 3.4.1", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/535027/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9707", "datePublished": "2015-03-31T14:00:00", "dateReserved": "2015-03-23T00:00:00", "dateUpdated": "2024-08-06T13:55:05.082Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:embedthis:goahead:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "45742C8A-B721-45C2-9FE0-7BA644DDB3D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCAE51A5-4B89-480D-BD78-30404A55F8C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "520C250B-98A1-46F9-8088-CB13D958B482", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "76ED896A-F0BD-479B-8BDA-CDE44CA4A8B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "F34E5498-3073-4251-B167-6CE8695502C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "182F9C41-2DD0-475A-B49B-1B38AE5DF626", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "9B18FF36-6934-4B80-9437-B202FDE9A55E", "vulnerable": true}, {"criteria": "cpe:2.3:a:embedthis:goahead:3.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "26DE3222-0FA8-49DE-8E94-AB3BC8816F9B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI."}, {"lang": "es", "value": "EmbedThis GoAhead 3.0.0 hasta 3.4.1 no maneja correctamente los segmentos de rutas que comienzan con un . (punto), lo que permite a atacantes remotos realizar ataques de salto de directorio, causar una denegaci\u00f3n de servicio (desbordamiento de buffer basado en memoria din\u00e1mica y ca\u00edda), o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de una URI manipulada."}], "id": "CVE-2014-9707", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-31T14:59:06.250", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2015/Mar/157"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/535027/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1032208"}, {"source": "cve@mitre.org", "url": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77"}, {"source": "cve@mitre.org", "url": "https://github.com/embedthis/goahead/issues/106"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2015/Mar/157"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/535027/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1032208"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/embedthis/goahead/issues/106"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}