Lucene search

K
redosRedosROS-20220628-01
HistoryJun 28, 2022 - 12:00 a.m.

ROS-20220628-01

2022-06-2800:00:00
redos.red-soft.ru
35

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.348 Low

EPSS

Percentile

97.1%

A vulnerability in the Apache HTTP web server is related to insufficient validation of user-entered data during the
HTTP requests to the lua script that calls r:parsebody(0). Exploitation of the vulnerability could
allow an attacker acting remotely to send a very large HTTP request to a vulnerable web server
and execute a denial of service (DoS) attack.

The Apache HTTP web server vulnerability is related to boundary conditions when processing HTTP requests in mod_lua
with web sockets. Exploitation of the vulnerability could allow an attacker acting remotely to force the
module to return to applications calling r:wsread() a length that points to the end of the memory
allocated for the buffer, and gain access to sensitive information

Apache HTTP web server vulnerability is related to boundary conditions in the mod_isapi module. Exploitation
the vulnerability could allow a remote attacker to send a specially crafted HTTP request to the server, cause a read error outside the boundary conditions.
to the server, cause a read error outside of the boundary conditions and read the memory contents of the system, or
perform a denial of service (DoS) attack

The Apache HTTP web server vulnerability is related to boundary conditions in the ap_strcmp_match() function when processing an extremely large input buffer.
handling an extremely large input buffer. Exploitation of the vulnerability could allow an attacker,
acting remotely, to send a specially crafted HTTP request to the web server, cause a read error
out of bounds and read the memory contents on the system

The Apache HTTP web server vulnerability is related to a bug in the mod_proxy implementation that causes the web server to
may fail to send X-Forwarded-* headers to the source server based on the client-side connection header stepping mechanism.
of the client-side connection header. Exploiting the vulnerability could allow an attacker,
acting remotely, bypass IP-based authentication on the source server/application and
Gain access to limited functions

Apache HTTP web server vulnerability is related to improper validation of HTTP requests in mod_proxy_ajp.
Exploitation of the vulnerability could allow an attacker acting remotely to send a specially crafted HTTP request to the server and access restricted features.
crafted HTTP request to the server and redirect requests to the AJP server to which it redirects the
requests

The Apache HTTP web server vulnerability is related to boundary conditions in the ap_rwrite() function. Exploitation
of the vulnerability could allow an attacker acting remotely to force the server to reflect very large
input using ap_rwrite() or ap_rputs() (e.g., using mod_luas r:puts()), which could
cause a read outside bounds error and read memory beyond the allocated bounds

The Apache HTTP web server vulnerability is due to the mod_sed function not properly controlling the
internal resource consumption if the web server is configured to perform mod_sed transformations
in contexts where the input to mod_sed can be very large. Exploitation of the vulnerability could
allow an attacker acting remotely to cause resource exhaustion and perform a denial-of-service (DoS) attack.
denial of service (DoS) attack

OSVersionArchitecturePackageVersionFilename
redos7.3x86_64httpd<= 2.4.54-1UNKNOWN

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.348 Low

EPSS

Percentile

97.1%