CVE-2009-1955

2009-06-0800:00:00

ubuntu.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.169 Low

EPSS

Percentile

96.0%

JSON

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache
APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in
the Apache HTTP Server, allows remote attackers to cause a denial of
service (memory consumption) via a crafted XML document containing a large
number of nested entity references, as demonstrated by a PROPFIND request,
a similar issue to CVE-2003-1564.

Notes

Author	Note
mdeslaur	PoC: http://www.milw0rm.com/exploits/8842

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchapache2< 2.0.55-4ubuntu2.5UNKNOWN
ubuntu8.04noarchapr-util< 1.2.12+dfsg-3ubuntu0.1UNKNOWN
ubuntu8.10noarchapr-util< 1.2.12+dfsg-7ubuntu0.1UNKNOWN
ubuntu9.04noarchapr-util< 1.2.12+dfsg-8ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	apache2	< 2.0.55-4ubuntu2.5	UNKNOWN
ubuntu	8.04	noarch	apr-util	< 1.2.12+dfsg-3ubuntu0.1	UNKNOWN
ubuntu	8.10	noarch	apr-util	< 1.2.12+dfsg-7ubuntu0.1	UNKNOWN
ubuntu	9.04	noarch	apr-util	< 1.2.12+dfsg-8ubuntu0.1	UNKNOWN