Apache Httpd < 2.2.16 : mod_cache and mod_dav DoS

2010-05-0400:00:00

Apache Team Foundation

httpd.apache.org

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.23 Low

EPSS

Percentile

96.5%

JSON

A flaw was found in the handling of requests by mod_cache (2.2) and mod_dav (2.0 and 2.2). A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon “CacheIgnoreURLSessionIdentifiers” directive, introduced in version 2.2.14, is used.

CPENameOperatorVersion
apache httpdeq2.2.15
apache httpdeq2.2.14
apache httpdeq2.2.13
apache httpdeq2.2.12
apache httpdeq2.2.11
apache httpdeq2.2.10
apache httpdeq2.2.9
apache httpdeq2.2.8
apache httpdeq2.2.6
apache httpdeq2.2.5

Name	Operator	Version
apache httpd	eq	2.2.15
apache httpd	eq	2.2.14
apache httpd	eq	2.2.13
apache httpd	eq	2.2.12
apache httpd	eq	2.2.11
apache httpd	eq	2.2.10
apache httpd	eq	2.2.9
apache httpd	eq	2.2.8
apache httpd	eq	2.2.6
apache httpd	eq	2.2.5