yaws

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	Unknown
Version	Removed

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1228	2.0.7-2	2.0.8-1	High	Fixed

Issue	Group	Severity	Remote	Type	Description
CVE-2020-24916	AVG-1228	High	Yes	Arbitrary command execution	CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.
CVE-2020-24379	AVG-1228	High	Yes	Information disclosure	WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.
CVE-2020-12872	AVG-1228	Medium	Yes	Information disclosure	yaws_config.erl in Yaws through 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.

Issue

Group

Severity

Remote

Type

Description

High

Yes

Arbitrary command execution

CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection.

High

Yes

Information disclosure

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

Medium

Yes

Information disclosure

yaws_config.erl in Yaws through 2.0.7 loads obsolete TLS ciphers, as demonstrated by ones that allow Sweet32 attacks.

Date	Advisory	Group	Severity	Type
26 Sep 2020	ASA-202009-14	AVG-1228	High	multiple issues