Vulnerability Details : CVE-2019-12822
In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a header parsing vulnerability causes a memory assertion, out-of-bounds memory reference, and potential DoS, as demonstrated by a colon on a line by itself.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2019-12822
- cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
- cpe:2.3:a:embedthis:goahead:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12822
17.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12822
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-12822
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
-
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12822
-
https://github.com/embedthis/goahead/compare/5349710...579f21f
Comparing 5349710...579f21f · embedthis/goahead · GitHubPatch;Third Party Advisory
-
https://github.com/embedthis/goahead/issues/285
Header parsing causing invalid memory reference · Issue #285 · embedthis/goahead · GitHubPatch;Third Party Advisory
Jump to