CVE-2011-2900: Buffer Overflow
First published: Fri Aug 05 2011(Updated: )
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Shttpd | =1.42 | |
| Mongoose | =3.0 | |
| yaSSL | =0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2011/08/03/9
- http://www.openwall.com/lists/oss-security/2011/08/03/5
- http://www.securityfocus.com/bid/48980
- http://secunia.com/advisories/45464
- https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
- http://securityreason.com/securityalert/8337
- http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html
- http://secunia.com/advisories/45902
- http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
Frequently Asked Questions
What is the severity of CVE-2011-2900?
CVE-2011-2900 is considered to have a high severity due to its potential for remote code execution.
How do I fix CVE-2011-2900?
To fix CVE-2011-2900, update Mongoose to version 3.1 or later, Shttpd to version 1.43 or later, or yaSSL Embedded Web Server to version 0.3 or later.
What types of software are affected by CVE-2011-2900?
CVE-2011-2900 affects Mongoose 3.0, Shttpd 1.42, and yaSSL Embedded Web Server 0.2.
What is the exploit method for CVE-2011-2900?
CVE-2011-2900 can be exploited through a stack-based buffer overflow in the put_dir function by sending crafted requests.
Are there any workarounds for CVE-2011-2900?
Temporary workarounds for CVE-2011-2900 may include restricting access to affected services or enabling firewall rules to block untrusted traffic.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/shttpd
- canonical/shttpd
- version/shttpd/1.42
- vendor/valenok
- canonical/mongoose
- version/mongoose/3.0
- vendor/yassl
- canonical/yassl
- version/yassl/0.2