Vulnerabilities > CVE-2014-9403 - Denial of Service vulnerability in ZNC 'CWebAdminMod::ChanPage()' Function

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
znc
nessus

Summary

The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error. <a href="http://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201412-31.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201412-31 (ZNC: Denial of Service) Multiple NULL pointer dereferences have been found in ZNC. Impact : A remote attacker could send a specially crafted request, possibly resulting in a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id80109
    published2014-12-19
    reporterThis script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80109
    titleGLSA-201412-31 : ZNC: Denial of Service
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-845.NASL
    descriptionZnc was updated to 1.6.2 to fix one security issue. The following vulnerability was fixed : - CVE-2014-9403: Remote unauthenticated users could cause denial of service via channel creation. [boo#956254] Also contains all bug fixes in the 1.6.2 release.
    last seen2020-06-05
    modified2015-12-02
    plugin id87166
    published2015-12-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87166
    titleopenSUSE Security Update : znc (openSUSE-2015-845)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-013.NASL
    descriptionUpdated znc packages fix security vulnerabilities : Multiple vulnerabilities were reported in ZNC version 1.0 which can be exploited by malicious authenticated users to cause a denial of service. These flaws are due to errors when handling the editnetwork, editchan, addchan, and delchan page requests; they can be exploited to cause a NULL pointer dereference (CVE-2013-2130). Adding an already existing channel to a user/network via web admin in ZNC causes a crash if the channel name isn
    last seen2020-06-01
    modified2020-06-02
    plugin id80432
    published2015-01-09
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/80432
    titleMandriva Linux Security Advisory : znc (MDVSA-2015:013)