cbcvebase.
CVE-2020-15688
published 2020-07-23

CVE-2020-15688: The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote…

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.04%
89.3th percentile
The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.

Affected

1 ranges
VendorProductVersion rangeFixed in
embedthisgoahead< 5.1.25.1.2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<ip>/goform/formUserManagementAdd?lang=en
path/goform/formUserManagementAdd
otherDigest username="admin", realm="GoAhead", nonce="5fb3ce6dec423bf8b8f0dfc8cf65244d", uri="/goform/formUserManagementAdd?lang=en", algorithm=MD5, response="1c05f4d08aa0cfcc5318882e0fb4e9af", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=0000000a, cnonce="0649f631320f23bb"
  • Alert on HTTP POST requests to /goform/formUserManagementAdd containing a Digest Authorization header, especially when originating from unauthenticated or unexpected sources, as this endpoint is targeted to create rogue admin accounts.
  • Flag HTTP requests with the User-Agent string 'NoProxy/NoProblem.251' as this is the custom UA used in the published PoC exploit for CVE-2020-15688.
  • ·The vulnerability only applies when TLS is NOT used to protect the communication channel. Deployments using HTTPS are not susceptible to capture-replay via network interception.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.