CVE-2024-3187

MEDIUM EPSS 37.7%
Published Oct 17, 20241y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Oct 17, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.

CVSS Details

Base Score
5.9
Exploitability
1.6
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability High

Threat Intelligence

EPSS Exploit Probability
37.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-415
CWE-416 Use After Free Memory Safety

References 1

  • nozominetworks.com https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-3187

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.