Lucene search

K
ubuntucveUbuntu.comUB:CVE-2011-3368
HistoryOct 05, 2011 - 12:00 a.m.

CVE-2011-3368

2011-10-0500:00:00
ubuntu.com
ubuntu.com
10

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.974

Percentile

99.9%

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x
through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with
use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for
configuration of a reverse proxy, which allows remote attackers to send
requests to intranet servers via a malformed URI containing an initial @
(at sign) character.

Bugs

Notes

Author Note
tyhicks Per Novell BTS (comment #16), the proposed fix is incomplete for 0.9 http requests.
OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchapache2< 2.2.8-1ubuntu0.22UNKNOWN
ubuntu10.04noarchapache2< 2.2.14-5ubuntu8.7UNKNOWN
ubuntu10.10noarchapache2< 2.2.16-1ubuntu3.4UNKNOWN
ubuntu11.04noarchapache2< 2.2.17-1ubuntu1.4UNKNOWN
ubuntu11.10noarchapache2< 2.2.20-1ubuntu1.1UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.974

Percentile

99.9%