Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-15688Authentication Bypass by Capture-replay in Goahead

CWE-294Authentication Bypass by Capture-replay3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 49.58%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Embedthis Goahead
Timeline
PublishedJul 23
Latest updateMay 24

Description

The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDembedthis/goahead< 5.1.2

🔴Vulnerability Details

2
GHSA
GHSA-6r2c-458p-644h: GoAhead before 52022-05-24
CVEList
CVE-2020-15688: The HTTP Digest Authentication in the GoAhead web server before 52020-07-23
CVE-2020-15688 — Embedthis Goahead vulnerability | cvebase