AVG-1228 log

Package yaws
Status Fixed
Severity High
Type multiple issues
Affected 2.0.7-2
Fixed 2.0.8-1
Current 2.0.9-1 [community]
Ticket None
Created Thu Sep 10 13:27:49 2020
Issue Severity Remote Type Description
CVE-2020-24916 High Yes Arbitrary command execution
CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.
CVE-2020-24379 High Yes Information disclosure
WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
CVE-2020-12872 Medium Yes Information disclosure
yaws_config.erl in Yaws through 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.
Date Advisory Package Type
26 Sep 2020 ASA-202009-14 yaws multiple issues
References
https://github.com/erlyaws/yaws/releases/tag/yaws-2.0.8
https://vuln.be/post/yaws-xxe-and-shell-injections/