Description
GoAhead is a tiny, embedded web server. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.
GoAhead web server versions < 3.6.5 unsafely initialize the environment of forked CGI scripts using untrusted HTTP request parameters. All users who have CGI support enabled with dynamically linked executables (CGI scripts) are affected by this vulnerability. This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD.
Remediation
Upgrade to the latest version of GoAhead Web Server. This vulnerability was fixed in GoAhead Web Server version 3.6.5.
References
Related Vulnerabilities
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-46731)
WordPress Plugin WP e-Commerce Shop Styling Remote File Inclusion (1.7.2)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-30537)
Unauthenticated Remote Code Execution via JSONWS in Liferay 7.2.0 CE GA1