NVD Vulnerability Detail

CVE-2011-2900

Summary	Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
Publication Date	Aug. 6, 2011, 6:55 a.m.
Registration Date	Jan. 28, 2021, 4:39 p.m.
Last Update	Nov. 21, 2024, 10:29 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html
4	http://secunia.com/advisories/45464	Vendor Advisory
5	http://secunia.com/advisories/45902
6	http://securityreason.com/securityalert/8337
7	http://www.openwall.com/lists/oss-security/2011/08/03/5	Patch
8	http://www.openwall.com/lists/oss-security/2011/08/03/9	Patch
9	http://www.securityfocus.com/bid/48980
10	https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0	Patch
11	https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
12	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
14	https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0	Patch
15	http://www.securityfocus.com/bid/48980
16	http://www.openwall.com/lists/oss-security/2011/08/03/9	Patch
17	http://www.openwall.com/lists/oss-security/2011/08/03/5	Patch
18	http://securityreason.com/securityalert/8337
19	http://secunia.com/advisories/45902
20	http://secunia.com/advisories/45464	Vendor Advisory
21	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html
22	http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

JVN Vulnerability Information

Mongoose などの put_dir 関数におけるスタックベースのバッファオーバーフローの脆弱性

Title	Mongoose などの put_dir 関数におけるスタックベースのバッファオーバーフローの脆弱性
Summary	(1) Mongoose の mongoose.c の put_dir 関数、(2) yaSSL Embedded Web Server (yasslEWS) の yasslEWS.c のput_dir 関数および (3) Simple HTTPD (shttpd) の io_dir.c の _shttpd_put_dir 関数には、スタックベースのバッファオーバーフローの脆弱性が存在します。本脆弱性は、2011 年実環境で悪用されました。
Possible impacts	第三者により、HTTP PUT リクエストを介して、任意のコードを実行される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 5, 2011, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

yaSSL

yasslews 0.2

shttpd

shttpd 1.42

valenok

Mongoose 3.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-2900	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
National Vulnerability Database (NVD)
2	CVE-2011-2900	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2900

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
shttpd
1	Top Page	http://sourceforge.net/projects/shttpd/
valenok
2	mongoose	https://code.google.com/archive/p/mongoose/
yaSSL
3	yaSSL Embedded Web Server	http://www.yassl.com/yaSSL/Products-yassl-embedded-web-server.html

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.