Lucene search

K
nvd[email protected]NVD:CVE-2011-4317
HistoryNov 30, 2011 - 4:05 a.m.

CVE-2011-4317

2011-11-3004:05:58
CWE-20
web.nvd.nist.gov

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

8.7

Confidence

High

EPSS

0.974

Percentile

99.9%

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.

Affected configurations

NVD
Node
apachehttp_serverMatch1.3
OR
apachehttp_serverMatch1.3.0
OR
apachehttp_serverMatch1.3.1
OR
apachehttp_serverMatch1.3.1.1
OR
apachehttp_serverMatch1.3.2
OR
apachehttp_serverMatch1.3.3
OR
apachehttp_serverMatch1.3.4
OR
apachehttp_serverMatch1.3.5
OR
apachehttp_serverMatch1.3.6
OR
apachehttp_serverMatch1.3.7
OR
apachehttp_serverMatch1.3.8
OR
apachehttp_serverMatch1.3.9
OR
apachehttp_serverMatch1.3.10
OR
apachehttp_serverMatch1.3.11
OR
apachehttp_serverMatch1.3.12
OR
apachehttp_serverMatch1.3.13
OR
apachehttp_serverMatch1.3.14
OR
apachehttp_serverMatch1.3.15
OR
apachehttp_serverMatch1.3.16
OR
apachehttp_serverMatch1.3.17
OR
apachehttp_serverMatch1.3.18
OR
apachehttp_serverMatch1.3.19
OR
apachehttp_serverMatch1.3.20
OR
apachehttp_serverMatch1.3.22
OR
apachehttp_serverMatch1.3.23
OR
apachehttp_serverMatch1.3.24
OR
apachehttp_serverMatch1.3.25
OR
apachehttp_serverMatch1.3.26
OR
apachehttp_serverMatch1.3.27
OR
apachehttp_serverMatch1.3.28
OR
apachehttp_serverMatch1.3.29
OR
apachehttp_serverMatch1.3.30
OR
apachehttp_serverMatch1.3.31
OR
apachehttp_serverMatch1.3.32
OR
apachehttp_serverMatch1.3.33
OR
apachehttp_serverMatch1.3.34
OR
apachehttp_serverMatch1.3.35
OR
apachehttp_serverMatch1.3.36
OR
apachehttp_serverMatch1.3.37
OR
apachehttp_serverMatch1.3.38
OR
apachehttp_serverMatch1.3.39
OR
apachehttp_serverMatch1.3.41
OR
apachehttp_serverMatch1.3.42
OR
apachehttp_serverMatch1.3.65
OR
apachehttp_serverMatch1.3.68
Node
apachehttp_serverMatch2.0
OR
apachehttp_serverMatch2.0.9
OR
apachehttp_serverMatch2.0.28
OR
apachehttp_serverMatch2.0.28beta
OR
apachehttp_serverMatch2.0.32
OR
apachehttp_serverMatch2.0.32beta
OR
apachehttp_serverMatch2.0.34beta
OR
apachehttp_serverMatch2.0.35
OR
apachehttp_serverMatch2.0.36
OR
apachehttp_serverMatch2.0.37
OR
apachehttp_serverMatch2.0.38
OR
apachehttp_serverMatch2.0.39
OR
apachehttp_serverMatch2.0.40
OR
apachehttp_serverMatch2.0.41
OR
apachehttp_serverMatch2.0.42
OR
apachehttp_serverMatch2.0.43
OR
apachehttp_serverMatch2.0.44
OR
apachehttp_serverMatch2.0.45
OR
apachehttp_serverMatch2.0.46
OR
apachehttp_serverMatch2.0.47
OR
apachehttp_serverMatch2.0.48
OR
apachehttp_serverMatch2.0.49
OR
apachehttp_serverMatch2.0.50
OR
apachehttp_serverMatch2.0.51
OR
apachehttp_serverMatch2.0.52
OR
apachehttp_serverMatch2.0.53
OR
apachehttp_serverMatch2.0.54
OR
apachehttp_serverMatch2.0.55
OR
apachehttp_serverMatch2.0.56
OR
apachehttp_serverMatch2.0.57
OR
apachehttp_serverMatch2.0.58
OR
apachehttp_serverMatch2.0.59
OR
apachehttp_serverMatch2.0.60
OR
apachehttp_serverMatch2.0.61
OR
apachehttp_serverMatch2.0.63
OR
apachehttp_serverMatch2.0.64
Node
apachehttp_serverMatch2.2.0
OR
apachehttp_serverMatch2.2.1
OR
apachehttp_serverMatch2.2.2
OR
apachehttp_serverMatch2.2.3
OR
apachehttp_serverMatch2.2.4
OR
apachehttp_serverMatch2.2.6
OR
apachehttp_serverMatch2.2.8
OR
apachehttp_serverMatch2.2.9
OR
apachehttp_serverMatch2.2.10
OR
apachehttp_serverMatch2.2.11
OR
apachehttp_serverMatch2.2.12
OR
apachehttp_serverMatch2.2.13
OR
apachehttp_serverMatch2.2.14
OR
apachehttp_serverMatch2.2.15
OR
apachehttp_serverMatch2.2.16
OR
apachehttp_serverMatch2.2.18
OR
apachehttp_serverMatch2.2.19
OR
apachehttp_serverMatch2.2.20
OR
apachehttp_serverMatch2.2.21

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

8.7

Confidence

High

EPSS

0.974

Percentile

99.9%