AVG-1228 log
| Package | yaws |
| Status | Fixed |
| Severity | High |
| Type | multiple issues |
| Affected | 2.0.7-2 |
| Fixed | 2.0.8-1 |
| Current | Removed |
| Ticket | None |
| Created | Thu Sep 10 13:27:49 2020 |
| Issue | Severity | Remote | Type | Description |
|---|---|---|---|---|
| CVE-2020-24916 | High | Yes | Arbitrary command execution | CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection. |
| CVE-2020-24379 | High | Yes | Information disclosure | WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection. |
| CVE-2020-12872 | Medium | Yes | Information disclosure | yaws_config.erl in Yaws through 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks. |
| Date | Advisory | Package | Type |
|---|---|---|---|
| 26 Sep 2020 | ASA-202009-14 | yaws | multiple issues |
| References |
|---|
https://github.com/erlyaws/yaws/releases/tag/yaws-2.0.8 https://vuln.be/post/yaws-xxe-and-shell-injections/ |