Lucene search

K
httpdApache Team FoundationHTTPD:3512E3F62E72F03B59F5E9CF8ECB3EEF
HistoryApr 12, 2019 - 12:00 a.m.

Apache Httpd < 2.4.41 : mod_http2, read-after-free in h2 connection shutdown

2019-04-1200:00:00
Apache Team Foundation
httpd.apache.org
21

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.008

Percentile

82.1%

Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

Affected configurations

Vulners
Node
apacheapache_httpdMatch2.4.39
OR
apacheapache_httpdMatch2.4.38
OR
apacheapache_httpdMatch2.4.37
OR
apacheapache_httpdMatch2.4.35
OR
apacheapache_httpdMatch2.4.34
OR
apacheapache_httpdMatch2.4.33
OR
apacheapache_httpdMatch2.4.32
OR
apacheapache_httpdMatch2.4.29
OR
apacheapache_httpdMatch2.4.28
OR
apacheapache_httpdMatch2.4.27
OR
apacheapache_httpdMatch2.4.26
OR
apacheapache_httpdMatch2.4.25
OR
apacheapache_httpdMatch2.4.23
OR
apacheapache_httpdMatch2.4.20
OR
apacheapache_httpdMatch2.4.18
VendorProductVersionCPE
apacheapache_httpd2.4.39cpe:2.3:a:apache:apache_httpd:2.4.39:*:*:*:*:*:*:*
apacheapache_httpd2.4.38cpe:2.3:a:apache:apache_httpd:2.4.38:*:*:*:*:*:*:*
apacheapache_httpd2.4.37cpe:2.3:a:apache:apache_httpd:2.4.37:*:*:*:*:*:*:*
apacheapache_httpd2.4.35cpe:2.3:a:apache:apache_httpd:2.4.35:*:*:*:*:*:*:*
apacheapache_httpd2.4.34cpe:2.3:a:apache:apache_httpd:2.4.34:*:*:*:*:*:*:*
apacheapache_httpd2.4.33cpe:2.3:a:apache:apache_httpd:2.4.33:*:*:*:*:*:*:*
apacheapache_httpd2.4.32cpe:2.3:a:apache:apache_httpd:2.4.32:*:*:*:*:*:*:*
apacheapache_httpd2.4.29cpe:2.3:a:apache:apache_httpd:2.4.29:*:*:*:*:*:*:*
apacheapache_httpd2.4.28cpe:2.3:a:apache:apache_httpd:2.4.28:*:*:*:*:*:*:*
apacheapache_httpd2.4.27cpe:2.3:a:apache:apache_httpd:2.4.27:*:*:*:*:*:*:*
Rows per page:
1-10 of 151

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

0.008

Percentile

82.1%