⚠ Actively exploited
Added to CISA KEV on 2021-12-10. Federal agencies required to patch by 2022-06-10. Required action: Apply updates per vendor instructions..
CVE-2017-17562 — Improper Input Validation in Goahead
Severity
8.1HIGHNVD
EPSS
94.3%
top 0.05%
CISA KEV
KEV
Added 2021-12-10
Due 2022-06-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedDec 12
KEV addedDec 10
Latest updateMay 14
KEV dueJun 10
CISA Required Action: Apply updates per vendor instructions.
Description
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and re…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9