Vulnerability Description
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cherokee-Project | Cherokee | <= 1.2.104 |
Related Weaknesses (CWE)
References
- https://github.com/cherokee/webserver/issues/1224ExploitThird Party Advisory
- https://logicaltrust.net/blog/2019/11/cherokee.htmlExploitThird Party Advisory
- https://security.gentoo.org/glsa/202012-09Third Party Advisory
- https://github.com/cherokee/webserver/issues/1224ExploitThird Party Advisory
- https://logicaltrust.net/blog/2019/11/cherokee.htmlExploitThird Party Advisory
- https://security.gentoo.org/glsa/202012-09Third Party Advisory
FAQ
What is CVE-2019-20800?
CVE-2019-20800 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request...
How severe is CVE-2019-20800?
CVE-2019-20800 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-20800?
Check the references section above for vendor advisories and patch information. Affected products include: Cherokee-Project Cherokee.