cbcvebase.
CVE-2019-5096
published 2019-12-03

CVE-2019-5096: An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
66.98%
99.2th percentile
An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.

Affected

3 ranges
VendorProductVersion rangeFixed in
embedthisgoahead
embedthisgoahead
embedthisgoahead

Detection & IOCsextracted from sources · hover to see the quote

snort
51331
snort
51332
  • Detect exploitation attempts targeting multi-part/form-data HTTP requests (GET or POST) against GoAhead web server; requests do not require authentication and do not require the target resource to exist on the server.
  • Focus detection on specially crafted multi-part/form-data HTTP requests that trigger a use-after-free condition in GoAhead; heap corruption leading to code execution is the expected outcome.
  • Apply Snort rules 51331 and 51332 (available via Firepower Management Center or Snort.org) to detect exploitation attempts; note rules may be updated as additional vulnerability information becomes available.
  • ·Affected GoAhead versions are v5.0.1, v4.1.1, and v3.6.5; detection and patching should target these specific versions across all embedded deployments.
  • ·No known public exploits specifically target CVE-2019-5096 at time of CISA advisory publication, but the vulnerability is remotely exploitable with low attack complexity (CVSS v3 9.8).
  • ·Multiple Rockwell Automation ICS products embed the vulnerable GoAhead version; firmware versions are product-specific and must be checked individually against the affected firmware list.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.