Published: 16/01/2018 Updated: 09/02/2018

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 9.6 | Impact Score: 6 | Exploitability Score: 2.8

VMScore: 828

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote malicious users to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.

Vulnerable Product	Search on Vulmon	Subscribe to Product
debian debian linux 9.0
debian debian linux 8.0
openocd open on-chip debugger 0.10.0

Debian Bug report logs - #887488 openocd: CVE-2018-5704 cross protocol scripting attack Package: openocd; Maintainer for openocd is Debian Electronics Packaging Team <pkg-electronics-devel@listsaliothdebianorg>; Source for openocd is src:openocd (PTS, buildd, popcon) Reported by: Guido Günther <agx@sigxcpuorg> D ...

Josef Gajdusek discovered that OpenOCD, a JTAG debugger for ARM and MIPS, was vulnerable to Cross Protocol Scripting attacks An attacker could craft a HTML page that, when visited by a victim running OpenOCD, could execute arbitrary commands on the victims host This fix also sets the OpenOCD default binding to localhost, instead of every network ...

CWE-134 https://sourceforge.net/p/openocd/mailman/message/36188041/https://www.debian.org/security/2018/dsa-4093 https://lists.debian.org/debian-lts-announce/2018/01/msg00027.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887488 https://nvd.nist.gov https://www.debian.org/security/./dsa-4093

CVE-2018-5704

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect