Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-4489 — Improper Input Validation in Cherokee

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.0MEDIUMNVD

EPSS

8.3%

top 7.73%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Cherokee-project Cherokee

Timeline

PublishedJan 13

Latest updateMay 2

Description

header.c in Cherokee before 0.99.32 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDcherokee-project/cherokee0.99.31

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-8cwp-32mr-53q5: header↗2022-05-02

▶

CVEList

CVE-2009-4489: header↗2010-01-13

▶

💥Exploits & PoCs

Exploit-DB

Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection↗2010-01-11

▶