CVE-2014-9707

EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.

Published: Mar 31, 2015
Updated: Apr 13, 2023
CVE: CVE-2014-9707
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-17

Affected Software
References

Software	From	Fixed in
embedthis / goahead	3.3.2	3.3.2.x
embedthis / goahead	3.0.0	3.0.0.x
embedthis / goahead	3.3.4	3.3.4.x
embedthis / goahead	3.4.0	3.4.0.x
embedthis / goahead	3.3.5	3.3.5.x
embedthis / goahead	3.3.1	3.3.1.x
embedthis / goahead	3.3.6	3.3.6.x
embedthis / goahead	3.3.3	3.3.3.x

http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html
http://seclists.org/fulldisclosure/2015/Mar/157
http://www.securityfocus.com/archive/1/535027/100/0/threaded
http://www.securitytracker.com/id/1032208
https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77
https://github.com/embedthis/goahead/issues/106

Vulnerability Database

289,784

CVE-2014-9707