VDB
CVE-2009-4489
CVE-2009-4489
PUBLISHED
CVSS 5 MEDIUM
header.c in Cherokee before 0.99.32 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
EPSS 8.61% · 92.6th percentile
Risk Scores
CVSS 2.0
5
EPSS Score
8.61%
92.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| cherokee-project | cherokee | 0 |
| n/a | n/a | n/a |
Timeline
- Jan 11, 2010 PoC Published
- Jan 13, 2010 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- http://svn.cherokee-project.com/changeset/3944 url
- 37933 third-party-advisory
- ADV-2010-0090 vdb
- 37715 vdb
- http://www.ush.it/team/ush/hack_httpd_escape/adv.txt url
- http://svn.cherokee-project.com/changeset/3977 url
- 20100110 Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2009-4489 advisory