CVE-2015-0253

2015-07-2023:59:00

Debian Security Bug Tracker

security-tracker.debian.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.017 Low

EPSS

Percentile

87.7%

JSON

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.

OSVersionArchitecturePackageVersionFilename
Debian12allapache2< 2.4.57-2apache2_2.4.57-2_all.deb
Debian11allapache2< 2.4.56-1~deb11u2apache2_2.4.56-1~deb11u2_all.deb
Debian10allapache2< 2.4.38-3+deb10u8apache2_2.4.38-3+deb10u8_all.deb
Debian999allapache2< 2.4.59-1apache2_2.4.59-1_all.deb
Debian13allapache2< 2.4.58-1apache2_2.4.58-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	apache2	< 2.4.57-2	apache2_2.4.57-2_all.deb
Debian	11	all	apache2	< 2.4.56-1~deb11u2	apache2_2.4.56-1~deb11u2_all.deb
Debian	10	all	apache2	< 2.4.38-3+deb10u8	apache2_2.4.38-3+deb10u8_all.deb
Debian	999	all	apache2	< 2.4.59-1	apache2_2.4.59-1_all.deb
Debian	13	all	apache2	< 2.4.58-1	apache2_2.4.58-1_all.deb