VU#461364: Hiawatha open-sourc... Note

VU#461364: Hiawatha open-source web server has multiple vulnerabilities

Hiawatha is an open-source web server known for its performance, supporting multiple operating systems. Three vulnerabilities have been identified in specific versions of Hiawatha. The fetch_request function suffers from request smuggling due to improper header handling, potentially allowing access to restricted resources. The Tomahawk component has an authentication timing attack vulnerability in its management client due to the use of strcmp. A double free memory error exists in the XSLT show_index function, which could lead to data corruption and arbitrary code execution. These vulnerabilities affect Hiawatha versions 8.5 through 11.7, with the double free specific to versions 10.8.2 through 11.7. Exploiting these flaws can lead to authentication bypass, session hijacking, malicious payload injection, and code execution. While Hiawatha is no longer actively supported, the developer has acknowledged these issues. Mitigations and remediations for all three vulnerabilities have been tested and included in a future release. Users are advised to install the updated version when it becomes available. Ali Norouzi of Keysight is acknowledged for reporting these issues.