Lucene search

PRIOn knowledge basePRION:CVE-2020-24916

HistorySep 09, 2020 - 7:15 p.m.

Command injection

2020-09-0919:15:00

PRIOn knowledge base

www.prio-n.com

9.6 High

AI Score

Confidence

High

0.614 Medium

EPSS

Percentile

97.8%

CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.

CPENameOperatorVersion
ubuntu_linuxeq18.04
debian_linuxeq9.0
debian_linuxeq10.0
yawsge1.81
yawsle2.0.7

Name	Operator	Version
ubuntu_linux	eq	18.04
debian_linux	eq	9.0
debian_linux	eq	10.0
yaws	ge	1.81
yaws	le	2.0.7

References

github.com/erlyaws/yaws/commits/master

github.com/vulnbe/poc-yaws-cgi-shell-injection

lists.debian.org/debian-lts-announce/2020/09/msg00022.html

packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html

usn.ubuntu.com/4569-1/

vuln.be/post/yaws-xxe-and-shell-injections/

www.debian.org/security/2020/dsa-4773