CVE-2018-5704

Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.6 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
debiandebian_linux
8.0
debiandebian_linux
9.0
openocdopen_on-chip_debugger
0.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openocd
bullseye
0.11.0~rc2-1
fixed
bookworm
0.12.0-1
fixed
sid
0.12.0-3
fixed
trixie
0.12.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openocd
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
xenial
Fixed 0.9.0-1+deb8u1build0.16.04.1
released
trusty
dne
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2018/01/msg00027.html
https://sourceforge.net/p/openocd/mailman/message/36188041/
https://www.debian.org/security/2018/dsa-4093
https://lists.debian.org/debian-lts-announce/2018/01/msg00027.html
https://sourceforge.net/p/openocd/mailman/message/36188041/
https://www.debian.org/security/2018/dsa-4093