CVE-2011-2900

EXPLOITED IN THE WILD

Shttpd - Memory Corruption

Title source: rule

Description

Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.

Exploits (2)

exploitdb WORKING POC

by nion · pythonremotewindows

https://www.exploit-db.com/exploits/17669

View Code ZIP pw:eip

exploitdb WORKING POC

by G13 · pythondoswindows

https://www.exploit-db.com/exploits/17658

View Code ZIP pw:eip

References (11)

[Vendor Advisory] http://secunia.com/advisories/45464

[Third Party Advisory] http://secunia.com/advisories/45902

[Third Party Advisory] http://securityreason.com/securityalert/8337

[Patch] http://www.openwall.com/lists/oss-security/2011/08/03/5

[Patch] http://www.openwall.com/lists/oss-security/2011/08/03/9

[Patch] https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/68991

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/48980

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.html

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.html

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.html

Scores

EPSS 0.5367

EPSS Percentile 98.0%

Details

VulnCheck KEV 2011-08-05

InTheWild.io 2017-08-29

CWE

CWE-119

Status published

Products (3)

shttpd/shttpd 1.42

valenok/mongoose 3.0

yassl/yasslews 0.2

Published Aug 05, 2011

Tracked Since Feb 18, 2026