Vulnerability Details : CVE-2011-2900
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
Vulnerability category: OverflowExecute code
Products affected by CVE-2011-2900
- cpe:2.3:a:yassl:yasslews:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:shttpd:shttpd:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:valenok:mongoose:3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2900
46.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2900
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2011-2900
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2900
-
https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Google Code Archive - Long-term storage for Google Code Project Hosting.Patch
-
http://securityreason.com/securityalert/8337
Simple HTTPd 1.42 PUT Request Remote Buffer Overflow Vulnerability - CXSecurity.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html
[SECURITY] Fedora 15 Update: mongoose-3.0-2.fc15
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
[SECURITY] Fedora 16 Update: mongoose-3.0-2.fc16
-
http://www.openwall.com/lists/oss-security/2011/08/03/9
oss-security - Re: CVE id request: shttpd/mongoose/yassl embedded webserverPatch
-
http://www.openwall.com/lists/oss-security/2011/08/03/5
oss-security - CVE id request: shttpd/mongoose/yassl embedded webserverPatch
-
http://www.securityfocus.com/bid/48980
Mongoose PUT Request Remote Buffer Overflow Vulnerability
-
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html
[SECURITY] Fedora 14 Update: mongoose-3.0-2.fc14
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
Mongoose PUT buffer overflow CVE-2011-2900 Vulnerability Report
Jump to