CVE-2024-3187
Published: 17 October 2024
Summary
CVE-2024-3187 is a medium-severity Double Free (CWE-415) vulnerability. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-3187 tracks two use-after-free issues and one double-free vulnerability in GoAhead versions 6.0.0 and earlier. The flaws occur when JST values are not nulled after being freed during template parsing; they are reachable only when the ME_GOAHEAD_JAVASCRIPT compile-time flag is enabled.
An attacker who can modify JavaScript template files on the target system can supply malicious JST content that triggers memory corruption. Successful exploitation may produce a denial of service and, in limited contexts, arbitrary code execution; the CVSS vector reflects network attack reachability combined with high attack complexity and low privileges.
The single referenced advisory is hosted at Nozomi Networks Labs; it contains no additional mitigation details beyond the conditions already described in the CVE entry. EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.0759 before receding to its current value of 0.0427, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31779
Vulnerability details
This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag…
more
is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.