4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.74 High
EPSS
Percentile
98.1%
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
restrict header information during construction of Bad Request (aka 400)
error documents, which allows remote attackers to obtain the values of
HTTPOnly cookies via vectors involving a (1) long or (2) malformed header
in conjunction with crafted web script.