CVE-2020-24916 — OS Command Injection in Yaws

CWE-78 — OS Command Injection10 documents7 sources

Severity

9.8CRITICALNVD

EPSS

44.3%

top 2.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yaws Canonical Ubuntu Linux Debian Linux

Timeline

PublishedSep 9

Latest updateMay 24

Description

CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Debianyaws/yaws< 2.0.8+dfsg-1+3

▶Ubuntuyaws/yaws< 2.0.4+dfsg-2ubuntu0.1

▶NVDyaws/yaws1.81 — 2.0.7

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-962f-382j-8f7x: CGI implementation in Yaws web server versions 1↗2022-05-24

▶

OSV

yaws vulnerabilities↗2020-10-05

▶

OSV

CVE-2020-24916: CGI implementation in Yaws web server versions 1↗2020-09-09

▶

CVEList

CVE-2020-24916: CGI implementation in Yaws web server versions 1↗2020-09-09

▶

📋Vendor Advisories

Ubuntu

Yaws vulnerabilities↗2020-10-05

▶

Debian

CVE-2020-24916: yaws - CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS...↗2020

▶

💬Community

Bugzilla

CVE-2020-24916 yaws: OS command injection possible in CGI implementation↗2020-09-14

▶

Bugzilla

CVE-2020-24916 yaws: OS command injection possible in CGI implementation [epel-7]↗2020-09-14

▶

Bugzilla

CVE-2020-24916 yaws: OS command injection possible in CGI implementation [fedora-31]↗2020-09-14

▶