CVE-2020-15688

Published: Jul 23, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.

Affected (1)

Products: Embedthis: Goahead

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Embedthis Goahead	Before 5.1.2

Related CWEs

Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

References (6)

http://packetstormsecurity.com/files/159505/EmbedThis-GoAhead-Web-Server-5.1.1-Digest-Authentication-Capture-Replay-Nonce-Reuse.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/embedthis/goahead-gpl/issues/3

Source: cve@mitre.org

Third Party Advisory

https://github.com/embedthis/goahead-gpl/issues/3

Source: cve@mitre.org

Third Party Advisory

http://packetstormsecurity.com/files/159505/EmbedThis-GoAhead-Web-Server-5.1.1-Digest-Authentication-Capture-Replay-Nonce-Reuse.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://github.com/embedthis/goahead-gpl/issues/3

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/embedthis/goahead-gpl/issues/3

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.