Arch Linux Security Advisory ASA-202009-14 ========================================== Severity: High Date : 2020-09-26 CVE-ID : CVE-2020-12872 CVE-2020-24379 CVE-2020-24916 Package : yaws Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1228 Summary ======= The package yaws before version 2.0.8-1 is vulnerable to multiple issues including arbitrary command execution and information disclosure. Resolution ========== Upgrade to 2.0.8-1. # pacman -Syu "yaws>=2.0.8-1" The problems have been fixed upstream in version 2.0.8. Workaround ========== None. Description =========== - CVE-2020-12872 (information disclosure) yaws_config.erl in Yaws through 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks. - CVE-2020-24379 (information disclosure) WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. - CVE-2020-24916 (arbitrary command execution) CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection. Impact ====== A remote attacker might be able to execute arbitrary commands, downgrade TLS ciphers, or load foreign entities via crafted content. References ========== https://github.com/erlyaws/yaws/releases/tag/yaws-2.0.8 https://vuln.be/post/yaws-xxe-and-shell-injections/ https://sweet32.info/ https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70 https://packetstormsecurity.com/files/159106/Yaws-2.0.7-XML-Injection-Command-Injection.html https://github.com/erlyaws/yaws/commit/05a06345012598f5da55dbb4d041c8dc26e88e6c https://github.com/vulnbe/poc-yaws-dav-xxe https://github.com/erlyaws/yaws/commit/799b3b526d15b7a9bc43ae97165aeb085f18fac1 https://github.com/vulnbe/poc-yaws-cgi-shell-injection https://security.archlinux.org/CVE-2020-12872 https://security.archlinux.org/CVE-2020-24379 https://security.archlinux.org/CVE-2020-24916