ID CVE-2014-9708
Summary Embedthis Appweb before 4.6.6 and 5.x before 5.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a Range header with an empty value, as demonstrated by "Range: x=,".
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:enterprise_communications_broker:2.0.0
    cpe:2.3:a:oracle:enterprise_communications_broker:2.0.0
  • EmbedThis AppWeb 4.6.5
    cpe:2.3:a:embedthis:appweb:4.6.5
  • EmbedThis AppWeb 5.0.0
    cpe:2.3:a:embedthis:appweb:5.0.0
  • EmbedThis AppWeb 5.1.0
    cpe:2.3:a:embedthis:appweb:5.1.0
  • EmbedThis AppWeb 5.2.0
    cpe:2.3:a:embedthis:appweb:5.2.0
CVSS
Base: 5.0 (as of 04-08-2016 - 09:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
NASL family Denial of Service
NASL id PALO_ALTO_PAN-SA-2016-0027_REMOTE.NASL
description The Palo Alto Networks PAN-OS running on the remote host is affected by a NULL pointer dereference flaw in the web management interface, specifically in the parseRange() function within file rx.c, when handling HTTP requests involving a Range header with an empty value. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the Appweb process for the management interface to terminate, resulting in a denial of service condition. Note that PAN-OS is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for these.
last seen 2019-02-21
modified 2018-07-24
plugin id 96314
published 2017-01-05
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=96314
title Palo Alto Networks PAN-OS Management Interface Remote DoS (PAN-SA-2016-0027)
packetstorm via4
data source https://packetstormsecurity.com/files/download/131157/appweb-dos.txt
id PACKETSTORM:131157
last seen 2016-12-05
published 2015-03-28
reporter Matthew Daley
source https://packetstormsecurity.com/files/131157/Appweb-Web-Server-Denial-Of-Service.html
title Appweb Web Server Denial Of Service
refmap via4
bid 73407
bugtraq 20150328 Advisory: CVE-2014-9708: Appweb Web Server
confirm
fulldisc
  • 20150328 Advisory: CVE-2014-9708: Appweb Web Server
  • 20150408 Re: [oss-security] Advisory: CVE-2014-9708: Appweb Web Server
misc http://packetstormsecurity.com/files/131157/Appweb-Web-Server-Denial-Of-Service.html
sectrack 1037007
Last major update 27-01-2017 - 21:59
Published 31-03-2015 - 10:59
Last modified 09-10-2018 - 15:55
Back to Top