CVSS: 7.5EPSS: 6%CPEs: 1EXPL: 1CVE-2020-12845 – Gentoo Linux Security Advisory 202012-09
https://notcve.org/view.php?id=CVE-2020-12845
27 Jul 2020 — Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest. Cherokee versiones 0.4.27 a 1.2.104, está afectado por una denegación de servicio debido a una desreferencia del puntero NULL. Un atacante remo... • http://cherokee-project.com/downloads.html • CWE-476: NULL Pointer Dereference •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20798 – Gentoo Linux Security Advisory 202012-09
https://notcve.org/view.php?id=CVE-2019-20798
17 May 2020 — An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands. Se detectó un problema de tipo XSS en el archivo handler_server_info.c En Cherokee versiones hasta 1.2.104. La URL requerida es mostrada inapropiadamente en la página About en la configurac... • https://github.com/cherokee/webserver/issues/1227 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 4%CPEs: 1EXPL: 5CVE-2019-20799 – Gentoo Linux Security Advisory 202012-09
https://notcve.org/view.php?id=CVE-2019-20799
17 May 2020 — In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server. En Cherokee versiones hasta 1.2.104, múltiples errores de corrupción de memoria pueden ser usados por un atacante remoto para desestabilizar el trabajo de un servidor. Multiple vulnerabilities have been found in Cherokee, the worst of which could result in a Denial of Service condition. Versions less than or equal to 1.2.104-r2 are affected. • https://github.com/cherokee/webserver/issues/1221 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2019-20800 – Gentoo Linux Security Advisory 202012-09
https://notcve.org/view.php?id=CVE-2019-20800
17 May 2020 — In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers. En Cherokee versiones hasta 1.2.104, atacantes remotos pueden activar una escritura fuera de límites en la función cherokee_handler_cgi_add_env_pair en el archivo handler_cgi.c al enviar muchos encabezados de petición, como es demostrado por una petición GET con muchos enca... • https://github.com/cherokee/webserver/issues/1224 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2014-4668 – Mandriva Linux Security Advisory 2015-225
https://notcve.org/view.php?id=CVE-2014-4668
02 Jul 2014 — The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password. La función cherokee_validator_ldap_check en validator_ldap.c en Cherokee 1.2.103 y anteriores, cuando LDAP está utilizado, no considera debidamente la semántica bind no autenticada, lo que permite a atacantes remotos evadir autenticación a través de una contra... • http://advisories.mageia.org/MGASA-2015-0181.html • CWE-287: Improper Authentication •
CVSS: 9.6EPSS: 0%CPEs: 137EXPL: 4CVE-2011-2191
https://notcve.org/view.php?id=CVE-2011-2191
07 Oct 2011 — Cross-site request forgery (CSRF) vulnerability in Cherokee-admin in Cherokee before 1.2.99 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, as demonstrated by a crafted nickname field to vserver/apply. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Cherokee-admin de Cherokee en versiones anteriores a la 1.2.99. Permite a atacantes remotos secuestrar la autenticación de administradores ... • http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066222.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 137EXPL: 0CVE-2011-2190
https://notcve.org/view.php?id=CVE-2011-2190
07 Oct 2011 — The generate_admin_password function in Cherokee before 1.2.99 uses time and PID values for seeding of a random number generator, which makes it easier for local users to determine admin passwords via a brute-force attack. La función generate_admin_password de Cherokee en versiones anteriores a la 1.2.99 utiliza la fecha y el PID para crear la semilla del generador de números aleatorios, lo que facilita a usuarios locales determinar la contraseña de admin a través de ataque de fuerza bruta. • http://code.google.com/p/cherokee/issues/detail?id=1212 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 4CVE-2009-4489 – Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection
https://notcve.org/view.php?id=CVE-2009-4489
11 Jan 2010 — header.c in Cherokee before 0.99.32 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. header.c en Cherokee anterior a v0.99.32, escribe datos en un archivo de los sin depurar los caracteres no escribibles, lo que podría permitir a atacantes remotos modificar la ventana de título, o posiblement... • https://packetstorm.news/files/id/85018 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 2CVE-2009-4587 – Cherokee Web server 0.5.4 - Denial of Service
https://notcve.org/view.php?id=CVE-2009-4587
07 Jan 2010 — Cherokee Web Server 0.5.4 allows remote attackers to cause a denial of service (daemon crash) via an MS-DOS reserved word in a URI, as demonstrated by the AUX reserved word. Cherokee Web Server v0.5.4 permite a atacantes remotos provocar una denegación de servicio (caída del demonio) a través de una palabra reservada de MS-DOS en una URI, como se ha demostrado en la palabra reservada AUX. • https://www.exploit-db.com/exploits/9874 •