Created
October 26, 2016 06:16
-
-
Save kotakanbe/7de6bab78b726f53efa3b2bf3203807a to your computer and use it in GitHub Desktop.
OWASP Dependency Check XML
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <analysis xmlns="https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd"> | |
| <scanInfo> | |
| <engineVersion>1.4.3</engineVersion> | |
| <dataSource> | |
| <name>NVD CVE 2002</name> | |
| <timestamp>14/10/2016 17:11:02</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2003</name> | |
| <timestamp>07/10/2016 17:52:39</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2004</name> | |
| <timestamp>15/10/2016 18:07:20</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2005</name> | |
| <timestamp>15/10/2016 18:02:31</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2006</name> | |
| <timestamp>15/10/2016 17:54:38</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2007</name> | |
| <timestamp>04/10/2016 17:25:09</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2008</name> | |
| <timestamp>15/10/2016 17:42:22</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2009</name> | |
| <timestamp>20/09/2016 16:51:41</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2010</name> | |
| <timestamp>15/10/2016 17:28:54</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2011</name> | |
| <timestamp>06/10/2016 17:32:18</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2012</name> | |
| <timestamp>15/10/2016 17:15:27</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2013</name> | |
| <timestamp>15/10/2016 17:02:03</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2014</name> | |
| <timestamp>15/10/2016 16:46:43</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2015</name> | |
| <timestamp>17/10/2016 16:31:45</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE 2016</name> | |
| <timestamp>17/10/2016 16:13:32</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE Checked</name> | |
| <timestamp>24/10/2016 12:08:18</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>NVD CVE Modified</name> | |
| <timestamp>24/10/2016 09:11:17</timestamp> | |
| </dataSource> | |
| <dataSource> | |
| <name>VersionCheckOn</name> | |
| <timestamp>1476706248241</timestamp> | |
| </dataSource> | |
| </scanInfo> | |
| <projectInfo> | |
| <name>hoge</name> | |
| <reportDate>2016-10-24T12:08:38.251+0900</reportDate> | |
| <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits> | |
| </projectInfo> | |
| <dependencies> | |
| <dependency> | |
| <fileName>antlr-2.7.2.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/antlr-2.7.2.jar</filePath> | |
| <md5>a73459120df5cadf75eaa98453433a01</md5> | |
| <sha1>546b5220622c4d9b2da45ad1899224b6ce1c8830</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>antlrall</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>antlrall</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>antlrall</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>2.7.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>antlr</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>2.7.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>2.7.2</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(antlr:antlr:2.7.2)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=antlr/antlr/2.7.2/antlr-2.7.2.jar</url> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(antlr:antlrall:2.7.2)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=antlr/antlrall/2.7.2/antlrall-2.7.2.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>bsf-2.3.0.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/bsf-2.3.0.jar</filePath> | |
| <md5>4a61c9f221ebed459999e4006f2f8fa0</md5> | |
| <sha1>b6be87b58571101e95525228cf23e934b4eabe35</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>2.3.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>2.3.0-rc1</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>bsf</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>2.3.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>2.3.0-rc1</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(bsf:bsf:2.3.0)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=bsf/bsf/2.3.0/bsf-2.3.0.jar</url> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(bsf:bsf:2.3.0-rc1)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=bsf/bsf/2.3.0-rc1/bsf-2.3.0-rc1.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-beanutils-1.8.0.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-beanutils-1.8.0.jar</filePath> | |
| <md5>d93127c2aa1815a25b13d971e974e9b1</md5> | |
| <sha1>0c651d5103c649c12b20d53731643e5fffceb536</sha1> | |
| <description>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</description> | |
| <license>http://www.apache.org/licenses/LICENSE-2.0.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>manifest</source> | |
| <name>Bundle-Description</name> | |
| <value>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>bundle-docurl</name> | |
| <value>http://commons.apache.org/beanutils/</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>bundle-symbolicname</name> | |
| <value>org.apache.commons.beanutils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Commons BeanUtils</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>commons-parent</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://commons.apache.org/beanutils/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>manifest</source> | |
| <name>Bundle-Description</name> | |
| <value>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>bundle-docurl</name> | |
| <value>http://commons.apache.org/beanutils/</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Bundle-Name</name> | |
| <value>Commons BeanUtils</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>bundle-symbolicname</name> | |
| <value>org.apache.commons.beanutils</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>Commons BeanUtils</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Commons BeanUtils</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Commons BeanUtils</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>commons-parent</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.commons</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-beanutils</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Bundle-Version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.8.0</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-beanutils:commons-beanutils:1.8.0)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%220c651d5103c649c12b20d53731643e5fffceb536%22</url> | |
| </identifier> | |
| <identifier type="cpe" confidence="LOW"> | |
| <name>(cpe:/a:apache:commons_beanutils:1.8.0)</name> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2014-0114</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</url> | |
| <name>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676303</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676303</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676375</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676375</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676931</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676931</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://access.redhat.com/solutions/869353</url> | |
| <name>https://access.redhat.com/solutions/869353</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1091938</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1091938</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1116665</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1116665</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://issues.apache.org/jira/browse/BEANUTILS-463</url> | |
| <name>https://issues.apache.org/jira/browse/BEANUTILS-463</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2014/dsa-2940</url> | |
| <name>DSA-2940</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html</url> | |
| <name>FEDORA-2014-9380</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Dec/23</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=140119284401582&w=2</url> | |
| <name>HPSBGN03041</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=140801096002766&w=2</url> | |
| <name>HPSBMU03090</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141451023707502&w=2</url> | |
| <name>HPSBST03160</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://openwall.com/lists/oss-security/2014/06/15/10</url> | |
| <name>[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://openwall.com/lists/oss-security/2014/07/08/1</url> | |
| <name>[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:commons_beanutils:1.9.1</software> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| </vulnerabilities> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-chain-1.2.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-chain-1.2.jar</filePath> | |
| <md5>e18e2c87826644e4c8c08635572c154f</md5> | |
| <sha1>744a13e8766e338bd347b6fbc28c6db12979d0c6</sha1> | |
| <description> | |
| An implementation of the GoF Chain of Responsibility pattern | |
| </description> | |
| <license>http://www.apache.org/licenses/LICENSE-2.0.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>manifest</source> | |
| <name>Bundle-Description</name> | |
| <value>An implementation of the GoF Chain of Responsibility pattern</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>bundle-docurl</name> | |
| <value>http://commons.apache.org/chain/</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>bundle-symbolicname</name> | |
| <value>org.apache.commons.chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>An implementation of the GoF Chain of Responsibility pattern</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Commons Chain</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>commons-parent</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://commons.apache.org/chain/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>manifest</source> | |
| <name>Bundle-Description</name> | |
| <value>An implementation of the GoF Chain of Responsibility pattern</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>bundle-docurl</name> | |
| <value>http://commons.apache.org/chain/</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Bundle-Name</name> | |
| <value>Commons Chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>bundle-symbolicname</name> | |
| <value>org.apache.commons.chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>Commons Chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Commons Chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>An implementation of the GoF Chain of Responsibility pattern</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Commons Chain</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>commons-parent</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.commons</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-chain</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Bundle-Version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.2</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-chain:commons-chain:1.2)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%22744a13e8766e338bd347b6fbc28c6db12979d0c6%22</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-digester-1.8.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-digester-1.8.jar</filePath> | |
| <md5>cf89c593f0378e9509a06fce7030aeba</md5> | |
| <sha1>dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e</sha1> | |
| <description>The Digester package lets you configure an XML->Java object mapping module | |
| which triggers certain actions called rules whenever a particular | |
| pattern of nested XML elements is recognized.</description> | |
| <license>The Apache Software License, Version 2.0: /LICENSE.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>The Digester package lets you configure an XML->Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Digester</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://jakarta.apache.org/commons/digester/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>org.apache.commons.digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Rule based XML->Java object mapping module</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>The Digester package lets you configure an XML->Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Digester</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.8</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-digester</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.8</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.8</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.8</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-digester:commons-digester:1.8)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=commons-digester/commons-digester/1.8/commons-digester-1.8.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-fileupload-1.1.1.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-fileupload-1.1.1.jar</filePath> | |
| <md5>adb15d9a4da4a30d77e88b32a45cbddb</md5> | |
| <sha1>d587a50727ba905aad13de9ea119081403bf6823</sha1> | |
| <description>The FileUpload component provides a simple yet flexible means of adding | |
| support for multipart file upload functionality to servlets and web | |
| applications.</description> | |
| <license>The Apache Software License, Version 2.0: /LICENSE.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>FileUpload</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>Commons FileUpload</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Commons FileUpload</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>FileUpload</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-fileupload</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.1.1</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-fileupload:commons-fileupload:1.1.1)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=commons-fileupload/commons-fileupload/1.1.1/commons-fileupload-1.1.1.jar</url> | |
| </identifier> | |
| <identifier type="cpe" confidence="HIGHEST"> | |
| <name>(cpe:/a:apache:commons_fileupload:1.1.1)</name> | |
| <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Acommons_fileupload%3A1.1.1</url> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2016-3092</name> | |
| <cvssScore>7.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91453</url> | |
| <name>91453</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1743480</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1743480</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1743722</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1743722</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1743738</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1743738</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1743742</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1743742</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-7.html</url> | |
| <name>http://tomcat.apache.org/security-7.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-8.html</url> | |
| <name>http://tomcat.apache.org/security-8.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-9.html</url> | |
| <name>http://tomcat.apache.org/security-9.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1349468</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1349468</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371</url> | |
| <name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840</url> | |
| <name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2016/dsa-3609</url> | |
| <name>DSA-3609</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2016/dsa-3611</url> | |
| <name>DSA-3611</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2016/dsa-3614</url> | |
| <name>DSA-3614</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN89379547/index.html</url> | |
| <name>JVN#89379547</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121</url> | |
| <name>JVNDB-2016-000121</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E</url> | |
| <name>[dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-3024-1</url> | |
| <name>USN-3024-1</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-3027-1</url> | |
| <name>USN-3027-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:commons_fileupload:1.3.1</software> | |
| <software>cpe:/a:apache:tomcat:7.0.0</software> | |
| <software>cpe:/a:apache:tomcat:7.0.0:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.1</software> | |
| <software>cpe:/a:apache:tomcat:7.0.2</software> | |
| <software>cpe:/a:apache:tomcat:7.0.2:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.4</software> | |
| <software>cpe:/a:apache:tomcat:7.0.4:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.5</software> | |
| <software>cpe:/a:apache:tomcat:7.0.5:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.6</software> | |
| <software>cpe:/a:apache:tomcat:7.0.8</software> | |
| <software>cpe:/a:apache:tomcat:7.0.10</software> | |
| <software>cpe:/a:apache:tomcat:7.0.11</software> | |
| <software>cpe:/a:apache:tomcat:7.0.12</software> | |
| <software>cpe:/a:apache:tomcat:7.0.14</software> | |
| <software>cpe:/a:apache:tomcat:7.0.16</software> | |
| <software>cpe:/a:apache:tomcat:7.0.19</software> | |
| <software>cpe:/a:apache:tomcat:7.0.20</software> | |
| <software>cpe:/a:apache:tomcat:7.0.21</software> | |
| <software>cpe:/a:apache:tomcat:7.0.22</software> | |
| <software>cpe:/a:apache:tomcat:7.0.23</software> | |
| <software>cpe:/a:apache:tomcat:7.0.25</software> | |
| <software>cpe:/a:apache:tomcat:7.0.26</software> | |
| <software>cpe:/a:apache:tomcat:7.0.27</software> | |
| <software>cpe:/a:apache:tomcat:7.0.28</software> | |
| <software>cpe:/a:apache:tomcat:7.0.29</software> | |
| <software>cpe:/a:apache:tomcat:7.0.30</software> | |
| <software>cpe:/a:apache:tomcat:7.0.32</software> | |
| <software>cpe:/a:apache:tomcat:7.0.33</software> | |
| <software>cpe:/a:apache:tomcat:7.0.34</software> | |
| <software>cpe:/a:apache:tomcat:7.0.35</software> | |
| <software>cpe:/a:apache:tomcat:7.0.37</software> | |
| <software>cpe:/a:apache:tomcat:7.0.39</software> | |
| <software>cpe:/a:apache:tomcat:7.0.40</software> | |
| <software>cpe:/a:apache:tomcat:7.0.41</software> | |
| <software>cpe:/a:apache:tomcat:7.0.42</software> | |
| <software>cpe:/a:apache:tomcat:7.0.47</software> | |
| <software>cpe:/a:apache:tomcat:7.0.50</software> | |
| <software>cpe:/a:apache:tomcat:7.0.52</software> | |
| <software>cpe:/a:apache:tomcat:7.0.53</software> | |
| <software>cpe:/a:apache:tomcat:7.0.54</software> | |
| <software>cpe:/a:apache:tomcat:7.0.55</software> | |
| <software>cpe:/a:apache:tomcat:7.0.56</software> | |
| <software>cpe:/a:apache:tomcat:7.0.57</software> | |
| <software>cpe:/a:apache:tomcat:7.0.59</software> | |
| <software>cpe:/a:apache:tomcat:7.0.61</software> | |
| <software>cpe:/a:apache:tomcat:7.0.62</software> | |
| <software>cpe:/a:apache:tomcat:7.0.63</software> | |
| <software>cpe:/a:apache:tomcat:7.0.64</software> | |
| <software>cpe:/a:apache:tomcat:7.0.65</software> | |
| <software>cpe:/a:apache:tomcat:7.0.67</software> | |
| <software>cpe:/a:apache:tomcat:7.0.68</software> | |
| <software>cpe:/a:apache:tomcat:7.0.69</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc1</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc10</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc2</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc5</software> | |
| <software>cpe:/a:apache:tomcat:8.0.1</software> | |
| <software>cpe:/a:apache:tomcat:8.0.3</software> | |
| <software>cpe:/a:apache:tomcat:8.0.5</software> | |
| <software>cpe:/a:apache:tomcat:8.0.8</software> | |
| <software>cpe:/a:apache:tomcat:8.0.11</software> | |
| <software>cpe:/a:apache:tomcat:8.0.12</software> | |
| <software>cpe:/a:apache:tomcat:8.0.14</software> | |
| <software>cpe:/a:apache:tomcat:8.0.15</software> | |
| <software>cpe:/a:apache:tomcat:8.0.17</software> | |
| <software>cpe:/a:apache:tomcat:8.0.18</software> | |
| <software>cpe:/a:apache:tomcat:8.0.20</software> | |
| <software>cpe:/a:apache:tomcat:8.0.21</software> | |
| <software>cpe:/a:apache:tomcat:8.0.22</software> | |
| <software>cpe:/a:apache:tomcat:8.0.23</software> | |
| <software>cpe:/a:apache:tomcat:8.0.24</software> | |
| <software>cpe:/a:apache:tomcat:8.0.26</software> | |
| <software>cpe:/a:apache:tomcat:8.0.27</software> | |
| <software>cpe:/a:apache:tomcat:8.0.28</software> | |
| <software>cpe:/a:apache:tomcat:8.0.29</software> | |
| <software>cpe:/a:apache:tomcat:8.0.30</software> | |
| <software>cpe:/a:apache:tomcat:8.0.32</software> | |
| <software>cpe:/a:apache:tomcat:8.0.33</software> | |
| <software>cpe:/a:apache:tomcat:8.0.35</software> | |
| <software>cpe:/a:apache:tomcat:8.5.0</software> | |
| <software>cpe:/a:apache:tomcat:8.5.2</software> | |
| <software>cpe:/a:apache:tomcat:9.0.0:m1</software> | |
| <software>cpe:/a:apache:tomcat:9.0.0:m3</software> | |
| <software>cpe:/a:apache:tomcat:9.0.0:m4</software> | |
| <software>cpe:/a:apache:tomcat:9.0.0:m6</software> | |
| <software>cpe:/a:hp:icewall_identity_manager:5.0</software> | |
| <software>cpe:/a:hp:icewall_sso_agent_option:10.0</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0050</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe> | |
| <description>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/65400</url> | |
| <name>65400</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/532549/100/0/threaded</url> | |
| <name>20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0110.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0110.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/r1565143</url> | |
| <name>http://svn.apache.org/r1565143</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-7.html</url> | |
| <name>http://tomcat.apache.org/security-7.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-8.html</url> | |
| <name>http://tomcat.apache.org/security-8.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21669554</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21669554</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21675432</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21675432</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676401</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676401</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676403</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676403</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676405</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676405</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676410</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676410</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676656</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676656</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676853</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676853</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21677691</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21677691</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21677724</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21677724</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21681214</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21681214</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html</url> | |
| <name>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html</url> | |
| <name>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html</url> | |
| <name>http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm</url> | |
| <name>http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0007.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0007.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1062337</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1062337</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Dec/23</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143136844732487&w=2</url> | |
| <name>HPSBGN03329</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN14876762/index.html</url> | |
| <name>JVN#14876762</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017</url> | |
| <name>JVNDB-2014-000017</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2015:084</url> | |
| <name>MDVSA-2015:084</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html</url> | |
| <name>http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html</url> | |
| <name>http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E</url> | |
| <name>[commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-0400.html</url> | |
| <name>RHSA-2014:0400</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:commons_fileupload:1.0</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.1.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2.2</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:commons_fileupload:1.3</software> | |
| <software>cpe:/a:apache:tomcat:7.0.0</software> | |
| <software>cpe:/a:apache:tomcat:7.0.0:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.1</software> | |
| <software>cpe:/a:apache:tomcat:7.0.2</software> | |
| <software>cpe:/a:apache:tomcat:7.0.2:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.3</software> | |
| <software>cpe:/a:apache:tomcat:7.0.4</software> | |
| <software>cpe:/a:apache:tomcat:7.0.4:beta</software> | |
| <software>cpe:/a:apache:tomcat:7.0.5</software> | |
| <software>cpe:/a:apache:tomcat:7.0.6</software> | |
| <software>cpe:/a:apache:tomcat:7.0.7</software> | |
| <software>cpe:/a:apache:tomcat:7.0.8</software> | |
| <software>cpe:/a:apache:tomcat:7.0.9</software> | |
| <software>cpe:/a:apache:tomcat:7.0.10</software> | |
| <software>cpe:/a:apache:tomcat:7.0.11</software> | |
| <software>cpe:/a:apache:tomcat:7.0.12</software> | |
| <software>cpe:/a:apache:tomcat:7.0.13</software> | |
| <software>cpe:/a:apache:tomcat:7.0.14</software> | |
| <software>cpe:/a:apache:tomcat:7.0.15</software> | |
| <software>cpe:/a:apache:tomcat:7.0.16</software> | |
| <software>cpe:/a:apache:tomcat:7.0.17</software> | |
| <software>cpe:/a:apache:tomcat:7.0.18</software> | |
| <software>cpe:/a:apache:tomcat:7.0.19</software> | |
| <software>cpe:/a:apache:tomcat:7.0.20</software> | |
| <software>cpe:/a:apache:tomcat:7.0.21</software> | |
| <software>cpe:/a:apache:tomcat:7.0.22</software> | |
| <software>cpe:/a:apache:tomcat:7.0.23</software> | |
| <software>cpe:/a:apache:tomcat:7.0.24</software> | |
| <software>cpe:/a:apache:tomcat:7.0.25</software> | |
| <software>cpe:/a:apache:tomcat:7.0.26</software> | |
| <software>cpe:/a:apache:tomcat:7.0.27</software> | |
| <software>cpe:/a:apache:tomcat:7.0.28</software> | |
| <software>cpe:/a:apache:tomcat:7.0.29</software> | |
| <software>cpe:/a:apache:tomcat:7.0.30</software> | |
| <software>cpe:/a:apache:tomcat:7.0.31</software> | |
| <software>cpe:/a:apache:tomcat:7.0.32</software> | |
| <software>cpe:/a:apache:tomcat:7.0.33</software> | |
| <software>cpe:/a:apache:tomcat:7.0.34</software> | |
| <software>cpe:/a:apache:tomcat:7.0.35</software> | |
| <software>cpe:/a:apache:tomcat:7.0.36</software> | |
| <software>cpe:/a:apache:tomcat:7.0.37</software> | |
| <software>cpe:/a:apache:tomcat:7.0.38</software> | |
| <software>cpe:/a:apache:tomcat:7.0.39</software> | |
| <software>cpe:/a:apache:tomcat:7.0.40</software> | |
| <software>cpe:/a:apache:tomcat:7.0.41</software> | |
| <software>cpe:/a:apache:tomcat:7.0.42</software> | |
| <software>cpe:/a:apache:tomcat:7.0.43</software> | |
| <software>cpe:/a:apache:tomcat:7.0.44</software> | |
| <software>cpe:/a:apache:tomcat:7.0.45</software> | |
| <software>cpe:/a:apache:tomcat:7.0.46</software> | |
| <software>cpe:/a:apache:tomcat:7.0.47</software> | |
| <software>cpe:/a:apache:tomcat:7.0.48</software> | |
| <software>cpe:/a:apache:tomcat:7.0.49</software> | |
| <software>cpe:/a:apache:tomcat:7.0.50</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc1</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc10</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc2</software> | |
| <software>cpe:/a:apache:tomcat:8.0.0:rc5</software> | |
| <software>cpe:/a:apache:tomcat:8.0.1</software> | |
| <software>cpe:/a:oracle:retail_applications:12.0</software> | |
| <software>cpe:/a:oracle:retail_applications:12.0in</software> | |
| <software>cpe:/a:oracle:retail_applications:13.0</software> | |
| <software>cpe:/a:oracle:retail_applications:13.1</software> | |
| <software>cpe:/a:oracle:retail_applications:13.2</software> | |
| <software>cpe:/a:oracle:retail_applications:13.3</software> | |
| <software>cpe:/a:oracle:retail_applications:13.4</software> | |
| <software>cpe:/a:oracle:retail_applications:14.0</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2013-0248</name> | |
| <cvssScore>3.3</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Low</severity> | |
| <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe> | |
| <description>The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html</url> | |
| <name>20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144050155601375&w=2</url> | |
| <name>HPSBMU03409</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:commons_fileupload:1.0</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.1.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2.1</software> | |
| <software>cpe:/a:apache:commons_fileupload:1.2.2</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| </vulnerabilities> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-io-1.1.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-io-1.1.jar</filePath> | |
| <md5>ffd27d70f20214e49f9b796bf6fe32f4</md5> | |
| <sha1>5e986a7e4b0472aebe121154178dab2da26a8bf5</sha1> | |
| <description>Commons-IO contains utility classes, stream implementations, file filters, and endian classes.</description> | |
| <license>The Apache Software License, Version 2.0: /LICENSE.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons-IO contains utility classes, stream implementations, file filters, and endian classes.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>IO</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://jakarta.apache.org/commons/io/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>io</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>org.apache.commons.io</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Commons IO</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons-IO contains utility classes, stream implementations, file filters, and endian classes.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>IO</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-io</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.1</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-io:commons-io:1.1)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=commons-io/commons-io/1.1/commons-io-1.1.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-logging-1.0.4.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-logging-1.0.4.jar</filePath> | |
| <md5>8a507817b28077e0478add944c64586a</md5> | |
| <sha1>f029a2aefe2b3e1517573c580f948caac31b1056</sha1> | |
| <description>Commons Logging is a thin adapter allowing configurable bridging to other, | |
| well known logging systems.</description> | |
| <license>The Apache Software License, Version 2.0: /LICENSE.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>org.apache.commons.logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Logging</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://jakarta.apache.org/commons/logging/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>impl</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>org.apache.commons.logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Logging</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.0.4</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-logging</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.0.4</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.0.4</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.0.4</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-logging:commons-logging:1.0.4)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>commons-validator-1.3.1.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/commons-validator-1.3.1.jar</filePath> | |
| <md5>4fe711769d6d61f51c21d6c89d70e904</md5> | |
| <sha1>d1fd6b1510f25e827adffcf17de3c85fa00e9391</sha1> | |
| <description>Commons Validator provides the building blocks for both client side validation | |
| and server side data validation. It may be used standalone or with a framework like | |
| Struts.</description> | |
| <license>The Apache Software License, Version 2.0: /LICENSE.txt</license> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>The Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons Validator provides the building blocks for both client side validation and server side data validation. It may be used standalone or with a framework ...</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Validator</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>commons</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>org.apache.commons.validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Commons Validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>description</name> | |
| <value>Commons Validator provides the building blocks for both client side validation and server side data validation. It may be used standalone or with a framework ...</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Validator</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>organization name</name> | |
| <value>http://jakarta.apache.org</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.3.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>commons-validator</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.3.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.3.1</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.3.1</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(commons-validator:commons-validator:1.3.1)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=commons-validator/commons-validator/1.3.1/commons-validator-1.3.1.jar</url> | |
| </identifier> | |
| <identifier type="cpe" confidence="LOW"> | |
| <name>(cpe:/a:apache:apache_http_server:1.3.1)</name> | |
| <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aapache_http_server</url> | |
| </identifier> | |
| <identifier type="cpe" confidence="HIGHEST"> | |
| <name>(cpe:/a:apache:http_server:1.3.1)</name> | |
| <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Ahttp_server%3A1.3.1</url> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2016-5387</name> | |
| <cvssScore>5.1</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>HIGH</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-284 Improper Access Control</cwe> | |
| <description>The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.</description> | |
| <references> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/797896</url> | |
| <name>VU#797896</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://www.apache.org/security/asf-httpoxy-response.txt</url> | |
| <name>https://www.apache.org/security/asf-httpoxy-response.txt</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/</url> | |
| <name>FEDORA-2016-9fd9bfab9e</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/</url> | |
| <name>FEDORA-2016-df0726ae26</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://httpoxy.org/</url> | |
| <name>https://httpoxy.org/</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1648.html</url> | |
| <name>RHSA-2016:1648</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1649.html</url> | |
| <name>RHSA-2016:1649</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1650.html</url> | |
| <name>RHSA-2016:1650</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id/1036330</url> | |
| <name>1036330</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.23</software> | |
| <software>cpe:/a:redhat:jboss_web_server:2.1.0</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2015-3183</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-17 Code</cwe> | |
| <description>The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html</url> | |
| <name>APPLE-SA-2015-08-13-2</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2015-09-16-4</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_24.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_2.4</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_2.4</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/apache/httpd/commit/e427c41257957b57036d5a549b260b6185d1dd73</url> | |
| <name>https://github.com/apache/httpd/commit/e427c41257957b57036d5a549b260b6185d1dd73</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT205219</url> | |
| <name>https://support.apple.com/HT205219</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/kb/HT205031</url> | |
| <name>https://support.apple.com/kb/HT205031</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144493176821532&w=2</url> | |
| <name>SSRT102254</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=145249627028751&w=2</url> | |
| <name>SSRT102977</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2686-1</url> | |
| <name>USN-2686-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.13</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2015-0228</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html</url> | |
| <name>APPLE-SA-2015-08-13-2</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2015-09-16-4</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2015-0099.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2015-0099.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES</url> | |
| <name>http://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef</url> | |
| <name>https://github.com/apache/httpd/commit/643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT205219</url> | |
| <name>https://support.apple.com/HT205219</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/kb/HT205031</url> | |
| <name>https://support.apple.com/kb/HT205031</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2015-03/msg00006.html</url> | |
| <name>openSUSE-SU-2015:0418</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2523-1</url> | |
| <name>USN-2523-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.12</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-3581</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html</url> | |
| <name>APPLE-SA-2015-08-13-2</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2015-09-16-4</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/71656</url> | |
| <name>71656</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?view=markup&pathrev=1627749</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1624234</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1624234</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1149709</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1149709</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT205219</url> | |
| <name>https://support.apple.com/HT205219</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/kb/HT205031</url> | |
| <name>https://support.apple.com/kb/HT205031</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2015-0325.html</url> | |
| <name>RHSA-2015:0325</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id/1031005</url> | |
| <name>1031005</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2523-1</url> | |
| <name>USN-2523-1</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/97027</url> | |
| <name>apache-cve20143581-dos(97027)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:apache_http_server:2.4.0</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.1</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.2</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.3</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.4</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.5</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.6</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.7</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.8</software> | |
| <software>cpe:/a:apache:apache_http_server:2.4.9</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:apache_http_server:2.4.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0231</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html</url> | |
| <name>APPLE-SA-2015-04-08-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/68742</url> | |
| <name>68742</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0304.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0304.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0305.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0305.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_24.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1482522&r2=1535125&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1482522&r2=1535125&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1565711&r2=1610509&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1565711&r2=1610509&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1120596</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1120596</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT204659</url> | |
| <name>https://support.apple.com/HT204659</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2014/dsa-2989</url> | |
| <name>DSA-2989</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143748090628601&w=2</url> | |
| <name>HPSBMU03380</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144050155601375&w=2</url> | |
| <name>HPSBMU03409</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143403519711434&w=2</url> | |
| <name>SSRT102066</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144493176821532&w=2</url> | |
| <name>SSRT102254</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2014:142</url> | |
| <name>MDVSA-2014:142</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://packetstormsecurity.com/files/130769/RSA-Digital-Certificate-Solution-XSS-Denial-Of-Service.html</url> | |
| <name>http://packetstormsecurity.com/files/130769/RSA-Digital-Certificate-Solution-XSS-Denial-Of-Service.html</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1019.html</url> | |
| <name>RHSA-2014:1019</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1020.html</url> | |
| <name>RHSA-2014:1020</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1021.html</url> | |
| <name>RHSA-2014:1021</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.2.22</software> | |
| <software>cpe:/a:apache:http_server:2.2.23</software> | |
| <software>cpe:/a:apache:http_server:2.2.24</software> | |
| <software>cpe:/a:apache:http_server:2.2.25</software> | |
| <software>cpe:/a:apache:http_server:2.2.26</software> | |
| <software>cpe:/a:apache:http_server:2.2.27</software> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software>cpe:/a:apache:http_server:2.4.4</software> | |
| <software>cpe:/a:apache:http_server:2.4.6</software> | |
| <software>cpe:/a:apache:http_server:2.4.7</software> | |
| <software>cpe:/a:apache:http_server:2.4.8</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.9</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0226</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')</cwe> | |
| <description>Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html</url> | |
| <name>APPLE-SA-2015-04-08-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/68678</url> | |
| <name>68678</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0304.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0304.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0305.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0305.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_24.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1450998&r2=1610491&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1450998&r2=1610491&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c?r1=1588989&r2=1610491&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c?r1=1588989&r2=1610491&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1120603</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1120603</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT204659</url> | |
| <name>https://support.apple.com/HT204659</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2014/dsa-2989</url> | |
| <name>DSA-2989</name> | |
| </reference> | |
| <reference> | |
| <source>EXPLOIT-DB</source> | |
| <url>http://www.exploit-db.com/exploits/34133</url> | |
| <name>34133</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Jul/114</url> | |
| <name>20140721 Apache HTTPd - description of the CVE-2014-0226.</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143748090628601&w=2</url> | |
| <name>HPSBMU03380</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144050155601375&w=2</url> | |
| <name>HPSBMU03409</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143403519711434&w=2</url> | |
| <name>SSRT102066</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144493176821532&w=2</url> | |
| <name>SSRT102254</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2014:142</url> | |
| <name>MDVSA-2014:142</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://zerodayinitiative.com/advisories/ZDI-14-236/</url> | |
| <name>http://zerodayinitiative.com/advisories/ZDI-14-236/</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1019.html</url> | |
| <name>RHSA-2014:1019</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1020.html</url> | |
| <name>RHSA-2014:1020</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1021.html</url> | |
| <name>RHSA-2014:1021</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software>cpe:/a:apache:http_server:2.4.4</software> | |
| <software>cpe:/a:apache:http_server:2.4.6</software> | |
| <software>cpe:/a:apache:http_server:2.4.7</software> | |
| <software>cpe:/a:apache:http_server:2.4.8</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.9</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0118</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html</url> | |
| <name>APPLE-SA-2015-04-08-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/68745</url> | |
| <name>68745</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0304.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0304.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0305.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0305.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_24.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_24.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c?r1=1604353&r2=1610501&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_deflate.c?r1=1604353&r2=1610501&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1120601</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1120601</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT204659</url> | |
| <name>https://support.apple.com/HT204659</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2014/dsa-2989</url> | |
| <name>DSA-2989</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143748090628601&w=2</url> | |
| <name>HPSBMU03380</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144050155601375&w=2</url> | |
| <name>HPSBMU03409</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=143403519711434&w=2</url> | |
| <name>SSRT102066</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=144493176821532&w=2</url> | |
| <name>SSRT102254</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2014:142</url> | |
| <name>MDVSA-2014:142</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1019.html</url> | |
| <name>RHSA-2014:1019</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1020.html</url> | |
| <name>RHSA-2014:1020</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2014-1021.html</url> | |
| <name>RHSA-2014:1021</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software>cpe:/a:apache:http_server:2.4.4</software> | |
| <software>cpe:/a:apache:http_server:2.4.6</software> | |
| <software>cpe:/a:apache:http_server:2.4.7</software> | |
| <software>cpe:/a:apache:http_server:2.4.8</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.9</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0098</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html</url> | |
| <name>APPLE-SA-2014-10-16-1</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html</url> | |
| <name>APPLE-SA-2015-04-08-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/66303</url> | |
| <name>66303</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0135.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0135.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</url> | |
| <name>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/loggers/mod_log_config.c?r1=1575394&r2=1575400&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21668973</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21668973</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_2.4.9</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_2.4.9</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1</url> | |
| <name>https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT204659</url> | |
| <name>https://support.apple.com/HT204659</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/kb/HT6535</url> | |
| <name>https://support.apple.com/kb/HT6535</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Dec/23</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141390017113542&w=2</url> | |
| <name>HPSBUX03150</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141017844705317&w=2</url> | |
| <name>SSRT101681</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2152-1</url> | |
| <name>USN-2152-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.2.22</software> | |
| <software>cpe:/a:apache:http_server:2.2.23</software> | |
| <software>cpe:/a:apache:http_server:2.2.24</software> | |
| <software>cpe:/a:apache:http_server:2.2.25</software> | |
| <software>cpe:/a:apache:http_server:2.3.0</software> | |
| <software>cpe:/a:apache:http_server:2.3.1</software> | |
| <software>cpe:/a:apache:http_server:2.3.2</software> | |
| <software>cpe:/a:apache:http_server:2.3.3</software> | |
| <software>cpe:/a:apache:http_server:2.3.4</software> | |
| <software>cpe:/a:apache:http_server:2.3.5</software> | |
| <software>cpe:/a:apache:http_server:2.3.6</software> | |
| <software>cpe:/a:apache:http_server:2.3.7</software> | |
| <software>cpe:/a:apache:http_server:2.3.8</software> | |
| <software>cpe:/a:apache:http_server:2.3.9</software> | |
| <software>cpe:/a:apache:http_server:2.3.10</software> | |
| <software>cpe:/a:apache:http_server:2.3.11</software> | |
| <software>cpe:/a:apache:http_server:2.3.12</software> | |
| <software>cpe:/a:apache:http_server:2.3.13</software> | |
| <software>cpe:/a:apache:http_server:2.3.14</software> | |
| <software>cpe:/a:apache:http_server:2.3.15</software> | |
| <software>cpe:/a:apache:http_server:2.3.16</software> | |
| <software>cpe:/a:apache:http_server:2.4.0</software> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software>cpe:/a:apache:http_server:2.4.4</software> | |
| <software>cpe:/a:apache:http_server:2.4.6</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.7</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2013-6438</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html</url> | |
| <name>APPLE-SA-2014-10-16-1</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html</url> | |
| <name>APPLE-SA-2015-04-08-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/66303</url> | |
| <name>66303</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://advisories.mageia.org/MGASA-2014-0135.html</url> | |
| <name>http://advisories.mageia.org/MGASA-2014-0135.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</url> | |
| <name>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?r1=1528718&r2=1556428&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/util.c?r1=1528718&r2=1556428&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21669554</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21669554</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676092</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_2.4.9</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_2.4.9</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1</url> | |
| <name>https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/HT204659</url> | |
| <name>https://support.apple.com/HT204659</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://support.apple.com/kb/HT6535</url> | |
| <name>https://support.apple.com/kb/HT6535</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Dec/23</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141390017113542&w=2</url> | |
| <name>HPSBUX03150</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141017844705317&w=2</url> | |
| <name>SSRT101681</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2152-1</url> | |
| <name>USN-2152-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.2.22</software> | |
| <software>cpe:/a:apache:http_server:2.2.23</software> | |
| <software>cpe:/a:apache:http_server:2.2.24</software> | |
| <software>cpe:/a:apache:http_server:2.2.25</software> | |
| <software>cpe:/a:apache:http_server:2.3.0</software> | |
| <software>cpe:/a:apache:http_server:2.3.1</software> | |
| <software>cpe:/a:apache:http_server:2.3.2</software> | |
| <software>cpe:/a:apache:http_server:2.3.3</software> | |
| <software>cpe:/a:apache:http_server:2.3.4</software> | |
| <software>cpe:/a:apache:http_server:2.3.5</software> | |
| <software>cpe:/a:apache:http_server:2.3.6</software> | |
| <software>cpe:/a:apache:http_server:2.3.7</software> | |
| <software>cpe:/a:apache:http_server:2.3.8</software> | |
| <software>cpe:/a:apache:http_server:2.3.9</software> | |
| <software>cpe:/a:apache:http_server:2.3.10</software> | |
| <software>cpe:/a:apache:http_server:2.3.11</software> | |
| <software>cpe:/a:apache:http_server:2.3.12</software> | |
| <software>cpe:/a:apache:http_server:2.3.13</software> | |
| <software>cpe:/a:apache:http_server:2.3.14</software> | |
| <software>cpe:/a:apache:http_server:2.3.15</software> | |
| <software>cpe:/a:apache:http_server:2.3.16</software> | |
| <software>cpe:/a:apache:http_server:2.4.0</software> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software>cpe:/a:apache:http_server:2.4.4</software> | |
| <software>cpe:/a:apache:http_server:2.4.6</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.7</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2013-2249</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.</description> | |
| <references> | |
| <reference> | |
| <source>CISCO</source> | |
| <url>http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-2249</url> | |
| <name>20130822 Apache HTTP Server mod_session_dbd Save Operations Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</url> | |
| <name>http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_2.4.6</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_2.4.6</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.2.22</software> | |
| <software>cpe:/a:apache:http_server:2.2.23</software> | |
| <software>cpe:/a:apache:http_server:2.2.24</software> | |
| <software>cpe:/a:apache:http_server:2.2.25</software> | |
| <software>cpe:/a:apache:http_server:2.3.0</software> | |
| <software>cpe:/a:apache:http_server:2.3.1</software> | |
| <software>cpe:/a:apache:http_server:2.3.2</software> | |
| <software>cpe:/a:apache:http_server:2.3.3</software> | |
| <software>cpe:/a:apache:http_server:2.3.4</software> | |
| <software>cpe:/a:apache:http_server:2.3.5</software> | |
| <software>cpe:/a:apache:http_server:2.3.6</software> | |
| <software>cpe:/a:apache:http_server:2.3.7</software> | |
| <software>cpe:/a:apache:http_server:2.3.8</software> | |
| <software>cpe:/a:apache:http_server:2.3.9</software> | |
| <software>cpe:/a:apache:http_server:2.3.10</software> | |
| <software>cpe:/a:apache:http_server:2.3.11</software> | |
| <software>cpe:/a:apache:http_server:2.3.12</software> | |
| <software>cpe:/a:apache:http_server:2.3.13</software> | |
| <software>cpe:/a:apache:http_server:2.3.14</software> | |
| <software>cpe:/a:apache:http_server:2.3.15</software> | |
| <software>cpe:/a:apache:http_server:2.3.16</software> | |
| <software>cpe:/a:apache:http_server:2.4.0</software> | |
| <software>cpe:/a:apache:http_server:2.4.1</software> | |
| <software>cpe:/a:apache:http_server:2.4.2</software> | |
| <software>cpe:/a:apache:http_server:2.4.3</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.4</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2013-1896</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe> | |
| <description>mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.</description> | |
| <references> | |
| <reference> | |
| <source>CISCO</source> | |
| <url>http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1896</url> | |
| <name>20130822 Apache HTTP Server MERGE Request Denial of Service Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT6150</url> | |
| <name>http://support.apple.com/kb/HT6150</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21644047</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21644047</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement2.2.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement2.2.html</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c03922406-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken</url> | |
| <name>SSRT101288</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-1156.html</url> | |
| <name>RHSA-2013:1156</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-1207.html</url> | |
| <name>RHSA-2013:1207</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-1208.html</url> | |
| <name>RHSA-2013:1208</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-1209.html</url> | |
| <name>RHSA-2013:1209</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html</url> | |
| <name>openSUSE-SU-2013:1337</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.html</url> | |
| <name>openSUSE-SU-2013:1340</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.html</url> | |
| <name>openSUSE-SU-2013:1341</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-1903-1</url> | |
| <name>USN-1903-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.2.22</software> | |
| <software>cpe:/a:apache:http_server:2.2.23</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.24</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2012-0883</name> | |
| <cvssScore>6.9</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe> | |
| <description>envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html</url> | |
| <name>APPLE-SA-2013-09-12-1</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5880</url> | |
| <name>http://support.apple.com/kb/HT5880</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1296428</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1296428</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement2.4.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement2.4.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf</url> | |
| <name>http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862</url> | |
| <name>HPSBMU02900</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134012830914727&w=2</url> | |
| <name>SSRT100856</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://article.gmane.org/gmane.comp.apache.devel/48158</url> | |
| <name>[dev] 20120417 [ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1026932</url> | |
| <name>1026932</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html</url> | |
| <name>openSUSE-SU-2013:0243</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html</url> | |
| <name>openSUSE-SU-2013:0248</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| <software>cpe:/a:apache:http_server:2.3.0</software> | |
| <software>cpe:/a:apache:http_server:2.3.1</software> | |
| <software>cpe:/a:apache:http_server:2.3.2</software> | |
| <software>cpe:/a:apache:http_server:2.3.3</software> | |
| <software>cpe:/a:apache:http_server:2.3.4</software> | |
| <software>cpe:/a:apache:http_server:2.3.5</software> | |
| <software>cpe:/a:apache:http_server:2.3.6</software> | |
| <software>cpe:/a:apache:http_server:2.3.7</software> | |
| <software>cpe:/a:apache:http_server:2.3.8</software> | |
| <software>cpe:/a:apache:http_server:2.3.9</software> | |
| <software>cpe:/a:apache:http_server:2.3.10</software> | |
| <software>cpe:/a:apache:http_server:2.3.11</software> | |
| <software>cpe:/a:apache:http_server:2.3.12</software> | |
| <software>cpe:/a:apache:http_server:2.3.13</software> | |
| <software>cpe:/a:apache:http_server:2.3.14</software> | |
| <software>cpe:/a:apache:http_server:2.3.15</software> | |
| <software>cpe:/a:apache:http_server:2.3.16</software> | |
| <software>cpe:/a:apache:http_server:2.4.0</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.4.1</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2012-0031</name> | |
| <cvssScore>4.6</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2012-09-19-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/51407</url> | |
| <name>51407</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5501</url> | |
| <name>http://support.apple.com/kb/HT5501</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1230065</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1230065</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=773744</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=773744</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041</url> | |
| <name>HPSBMU02786</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133494237717847&w=2</url> | |
| <name>SSRT100823</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134987041210674&w=2</url> | |
| <name>SSRT100966</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/</url> | |
| <name>http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2012-0128.html</url> | |
| <name>RHSA-2012:0128</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html</url> | |
| <name>openSUSE-SU-2012:0314</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.21</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-4317</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2012-09-19-2</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.juniper.net/JSA10585</url> | |
| <name>http://kb.juniper.net/JSA10585</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5501</url> | |
| <name>http://support.apple.com/kb/HT5501</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://thread.gmane.org/gmane.comp.apache.devel/46440</url> | |
| <name>http://thread.gmane.org/gmane.comp.apache.devel/46440</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=756483</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=756483</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041</url> | |
| <name>SSRT100877</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134987041210674&w=2</url> | |
| <name>SSRT100966</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2012:003</url> | |
| <name>MDVSA-2012:003</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue</url> | |
| <name>https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2012-0128.html</url> | |
| <name>RHSA-2012:0128</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1026353</url> | |
| <name>1026353</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html</url> | |
| <name>openSUSE-SU-2013:0243</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html</url> | |
| <name>openSUSE-SU-2013:0248</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-3368</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=nas2064c7e5f53452ff686257927003c8d42</url> | |
| <name>SE49723</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=nas2b7c57b1f1035675186257927003c8d48</url> | |
| <name>SE49724</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html</url> | |
| <name>APPLE-SA-2012-09-19-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/49957</url> | |
| <name>49957</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.juniper.net/JSA10585</url> | |
| <name>http://kb.juniper.net/JSA10585</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5501</url> | |
| <name>http://support.apple.com/kb/HT5501</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1179239</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1179239</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=740045</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=740045</name> | |
| </reference> | |
| <reference> | |
| <source>EXPLOIT-DB</source> | |
| <url>http://www.exploit-db.com/exploits/17969</url> | |
| <name>17969</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2011/Oct/232</url> | |
| <name>20111005 Apache HTTP Server: mod_proxy reverse proxy exposure (CVE-2011-3368)</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2011/Oct/273</url> | |
| <name>20111005 Context IS Advisory - Apache Reverse Proxy Bypass Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134987041210674&w=2</url> | |
| <name>SSRT100966</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:144</url> | |
| <name>MDVSA-2011:144</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.contextis.com/research/blog/reverseproxybypass/</url> | |
| <name>http://www.contextis.com/research/blog/reverseproxybypass/</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://web.archiveorange.com/archive/v/ZyS0hzECD5zzb2NkvQlt</url> | |
| <name>[announce] 20111005 Advisory: mod_proxy reverse proxy exposure (CVE-2011-3368)</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1391.html</url> | |
| <name>RHSA-2011:1391</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1392.html</url> | |
| <name>RHSA-2011:1392</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1026144</url> | |
| <name>1026144</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html</url> | |
| <name>SUSE-SU-2011:1229</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html</url> | |
| <name>openSUSE-SU-2013:0243</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html</url> | |
| <name>openSUSE-SU-2013:0248</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/70336</url> | |
| <name>apache-modproxy-information-disclosure(70336)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| <software>cpe:/a:apache:http_server:2.2.20</software> | |
| <software>cpe:/a:apache:http_server:2.2.21</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-3348</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html</url> | |
| <name>APPLE-SA-2012-02-01-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/49616</url> | |
| <name>49616</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5130</url> | |
| <name>http://support.apple.com/kb/HT5130</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement2.2.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement2.2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=132033751509019&w=2</url> | |
| <name>HPSBMU02704</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=131731002122529&w=2</url> | |
| <name>HPSBUX02707</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:168</url> | |
| <name>MDVSA-2011:168</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://community.jboss.org/message/625307</url> | |
| <name>http://community.jboss.org/message/625307</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1391.html</url> | |
| <name>RHSA-2011:1391</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1026054</url> | |
| <name>1026054</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/69804</url> | |
| <name>apache-modproxyajp-dos(69804)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.20</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-3192</name> | |
| <cvssScore>7.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html</url> | |
| <name>APPLE-SA-2011-10-12-3</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/49303</url> | |
| <name>49303</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/405811</url> | |
| <name>VU#405811</name> | |
| </reference> | |
| <reference> | |
| <source>CISCO</source> | |
| <url>http://www.cisco.com/en/US/products/products_security_advisory09186a0080b90d73.shtml</url> | |
| <name>20110830 Apache HTTPd Range Header Denial of Service Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://blogs.oracle.com/security/entry/security_alert_for_cve_2011</url> | |
| <name>http://blogs.oracle.com/security/entry/security_alert_for_cve_2011</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5002</url> | |
| <name>http://support.apple.com/kb/HT5002</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement2.2.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement2.2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.gossamer-threads.com/lists/apache/dev/401638</url> | |
| <name>http://www.gossamer-threads.com/lists/apache/dev/401638</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=732928</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=732928</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://issues.apache.org/bugzilla/show_bug.cgi?id=51714</url> | |
| <name>https://issues.apache.org/bugzilla/show_bug.cgi?id=51714</name> | |
| </reference> | |
| <reference> | |
| <source>EXPLOIT-DB</source> | |
| <url>http://www.exploit-db.com/exploits/17696</url> | |
| <name>17696</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2011/Aug/175</url> | |
| <name>20110820 Apache Killer</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0285.html</url> | |
| <name>20110824 Re: Apache Killer</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=132033751509019&w=2</url> | |
| <name>HPSBMU02704</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=131551295528105&w=2</url> | |
| <name>SSRT100606</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133477473521382&w=2</url> | |
| <name>SSRT100624</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=131731002122529&w=2</url> | |
| <name>SSRT100626</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133951357207000&w=2</url> | |
| <name>SSRT100852</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134987041210674&w=2</url> | |
| <name>SSRT100966</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:130</url> | |
| <name>MDVSA-2011:130</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110824161640.122D387DD@minotaur.apache.org%3e</url> | |
| <name>[announce] 20110824 Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x \(CVE-2011-3192\)</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e</url> | |
| <name>[dev] 20110823 Re: DoS with mod_deflate & range requests</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1245.html</url> | |
| <name>RHSA-2011:1245</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1294.html</url> | |
| <name>RHSA-2011:1294</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1300.html</url> | |
| <name>RHSA-2011:1300</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1329.html</url> | |
| <name>RHSA-2011:1329</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1330.html</url> | |
| <name>RHSA-2011:1330</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-1369.html</url> | |
| <name>RHSA-2011:1369</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1025960</url> | |
| <name>1025960</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00009.html</url> | |
| <name>SUSE-SU-2011:1000</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00010.html</url> | |
| <name>SUSE-SU-2011:1007</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00011.html</url> | |
| <name>SUSE-SU-2011:1010</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00008.html</url> | |
| <name>SUSE-SU-2011:1216</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html</url> | |
| <name>SUSE-SU-2011:1229</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00006.html</url> | |
| <name>openSUSE-SU-2011:0993</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-1199-1</url> | |
| <name>USN-1199-1</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/69396</url> | |
| <name>apache-http-byterange-dos(69396)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.0.64</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software>cpe:/a:apache:http_server:2.2.18</software> | |
| <software>cpe:/a:apache:http_server:2.2.19</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-1783</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html</url> | |
| <name>APPLE-SA-2012-02-01-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/48091</url> | |
| <name>48091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://subversion.apache.org/security/CVE-2011-1783-advisory.txt</url> | |
| <name>http://subversion.apache.org/security/CVE-2011-1783-advisory.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5130</url> | |
| <name>http://support.apple.com/kb/HT5130</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES</url> | |
| <name>http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=709112</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=709112</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2011/dsa-2251</url> | |
| <name>DSA-2251</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062211.html</url> | |
| <name>FEDORA-2011-8341</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061913.html</url> | |
| <name>FEDORA-2011-8352</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:106</url> | |
| <name>MDVSA-2011:106</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0862.html</url> | |
| <name>RHSA-2011:0862</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1025618</url> | |
| <name>1025618</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-1144-1</url> | |
| <name>USN-1144-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:apache:subversion:1.5.0</software> | |
| <software>cpe:/a:apache:subversion:1.5.1</software> | |
| <software>cpe:/a:apache:subversion:1.5.2</software> | |
| <software>cpe:/a:apache:subversion:1.5.3</software> | |
| <software>cpe:/a:apache:subversion:1.5.4</software> | |
| <software>cpe:/a:apache:subversion:1.5.5</software> | |
| <software>cpe:/a:apache:subversion:1.5.6</software> | |
| <software>cpe:/a:apache:subversion:1.5.7</software> | |
| <software>cpe:/a:apache:subversion:1.5.8</software> | |
| <software>cpe:/a:apache:subversion:1.6.0</software> | |
| <software>cpe:/a:apache:subversion:1.6.1</software> | |
| <software>cpe:/a:apache:subversion:1.6.2</software> | |
| <software>cpe:/a:apache:subversion:1.6.3</software> | |
| <software>cpe:/a:apache:subversion:1.6.4</software> | |
| <software>cpe:/a:apache:subversion:1.6.5</software> | |
| <software>cpe:/a:apache:subversion:1.6.6</software> | |
| <software>cpe:/a:apache:subversion:1.6.7</software> | |
| <software>cpe:/a:apache:subversion:1.6.8</software> | |
| <software>cpe:/a:apache:subversion:1.6.9</software> | |
| <software>cpe:/a:apache:subversion:1.6.10</software> | |
| <software>cpe:/a:apache:subversion:1.6.11</software> | |
| <software>cpe:/a:apache:subversion:1.6.12</software> | |
| <software>cpe:/a:apache:subversion:1.6.13</software> | |
| <software>cpe:/a:apache:subversion:1.6.14</software> | |
| <software>cpe:/a:apache:subversion:1.6.15</software> | |
| <software>cpe:/a:apache:subversion:1.6.16</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-1752</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html</url> | |
| <name>APPLE-SA-2012-02-01-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/48091</url> | |
| <name>48091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://subversion.apache.org/security/CVE-2011-1752-advisory.txt</url> | |
| <name>http://subversion.apache.org/security/CVE-2011-1752-advisory.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5130</url> | |
| <name>http://support.apple.com/kb/HT5130</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES</url> | |
| <name>http://svn.apache.org/repos/asf/subversion/tags/1.6.17/CHANGES</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=709111</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=709111</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2011/dsa-2251</url> | |
| <name>DSA-2251</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062211.html</url> | |
| <name>FEDORA-2011-8341</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061913.html</url> | |
| <name>FEDORA-2011-8352</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:106</url> | |
| <name>MDVSA-2011:106</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0861.html</url> | |
| <name>RHSA-2011:0861</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0862.html</url> | |
| <name>RHSA-2011:0862</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1025617</url> | |
| <name>1025617</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-1144-1</url> | |
| <name>USN-1144-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:apache:subversion:0.6</software> | |
| <software>cpe:/a:apache:subversion:0.7</software> | |
| <software>cpe:/a:apache:subversion:0.8</software> | |
| <software>cpe:/a:apache:subversion:0.9</software> | |
| <software>cpe:/a:apache:subversion:0.10.0</software> | |
| <software>cpe:/a:apache:subversion:0.10.1</software> | |
| <software>cpe:/a:apache:subversion:0.10.2</software> | |
| <software>cpe:/a:apache:subversion:0.11.1</software> | |
| <software>cpe:/a:apache:subversion:0.12.0</software> | |
| <software>cpe:/a:apache:subversion:0.13.0</software> | |
| <software>cpe:/a:apache:subversion:0.13.1</software> | |
| <software>cpe:/a:apache:subversion:0.13.2</software> | |
| <software>cpe:/a:apache:subversion:0.14.0</software> | |
| <software>cpe:/a:apache:subversion:0.14.1</software> | |
| <software>cpe:/a:apache:subversion:0.14.2</software> | |
| <software>cpe:/a:apache:subversion:0.14.3</software> | |
| <software>cpe:/a:apache:subversion:0.14.4</software> | |
| <software>cpe:/a:apache:subversion:0.14.5</software> | |
| <software>cpe:/a:apache:subversion:0.15</software> | |
| <software>cpe:/a:apache:subversion:0.16</software> | |
| <software>cpe:/a:apache:subversion:0.16.1</software> | |
| <software>cpe:/a:apache:subversion:0.17.0</software> | |
| <software>cpe:/a:apache:subversion:0.17.1</software> | |
| <software>cpe:/a:apache:subversion:0.18.0</software> | |
| <software>cpe:/a:apache:subversion:0.18.1</software> | |
| <software>cpe:/a:apache:subversion:0.19.0</software> | |
| <software>cpe:/a:apache:subversion:0.19.1</software> | |
| <software>cpe:/a:apache:subversion:0.20.0</software> | |
| <software>cpe:/a:apache:subversion:0.20.1</software> | |
| <software>cpe:/a:apache:subversion:0.21.0</software> | |
| <software>cpe:/a:apache:subversion:0.22.0</software> | |
| <software>cpe:/a:apache:subversion:0.22.1</software> | |
| <software>cpe:/a:apache:subversion:0.22.2</software> | |
| <software>cpe:/a:apache:subversion:0.23.0</software> | |
| <software>cpe:/a:apache:subversion:0.24.0</software> | |
| <software>cpe:/a:apache:subversion:0.24.1</software> | |
| <software>cpe:/a:apache:subversion:0.24.2</software> | |
| <software>cpe:/a:apache:subversion:0.25.0</software> | |
| <software>cpe:/a:apache:subversion:0.26.0</software> | |
| <software>cpe:/a:apache:subversion:0.27.0</software> | |
| <software>cpe:/a:apache:subversion:0.28.0</software> | |
| <software>cpe:/a:apache:subversion:0.28.1</software> | |
| <software>cpe:/a:apache:subversion:0.28.2</software> | |
| <software>cpe:/a:apache:subversion:0.29.0</software> | |
| <software>cpe:/a:apache:subversion:0.30.0</software> | |
| <software>cpe:/a:apache:subversion:0.31.0</software> | |
| <software>cpe:/a:apache:subversion:0.32.1</software> | |
| <software>cpe:/a:apache:subversion:0.33.0</software> | |
| <software>cpe:/a:apache:subversion:0.33.1</software> | |
| <software>cpe:/a:apache:subversion:0.34.0</software> | |
| <software>cpe:/a:apache:subversion:0.35.0</software> | |
| <software>cpe:/a:apache:subversion:0.35.1</software> | |
| <software>cpe:/a:apache:subversion:0.36.0</software> | |
| <software>cpe:/a:apache:subversion:0.37.0</software> | |
| <software>cpe:/a:apache:subversion:1.0.0</software> | |
| <software>cpe:/a:apache:subversion:1.0.1</software> | |
| <software>cpe:/a:apache:subversion:1.0.2</software> | |
| <software>cpe:/a:apache:subversion:1.0.3</software> | |
| <software>cpe:/a:apache:subversion:1.0.4</software> | |
| <software>cpe:/a:apache:subversion:1.0.5</software> | |
| <software>cpe:/a:apache:subversion:1.0.6</software> | |
| <software>cpe:/a:apache:subversion:1.0.7</software> | |
| <software>cpe:/a:apache:subversion:1.0.8</software> | |
| <software>cpe:/a:apache:subversion:1.0.9</software> | |
| <software>cpe:/a:apache:subversion:1.1.0</software> | |
| <software>cpe:/a:apache:subversion:1.1.1</software> | |
| <software>cpe:/a:apache:subversion:1.1.2</software> | |
| <software>cpe:/a:apache:subversion:1.1.3</software> | |
| <software>cpe:/a:apache:subversion:1.1.4</software> | |
| <software>cpe:/a:apache:subversion:1.2.0</software> | |
| <software>cpe:/a:apache:subversion:1.2.1</software> | |
| <software>cpe:/a:apache:subversion:1.2.2</software> | |
| <software>cpe:/a:apache:subversion:1.2.3</software> | |
| <software>cpe:/a:apache:subversion:1.3.0</software> | |
| <software>cpe:/a:apache:subversion:1.3.1</software> | |
| <software>cpe:/a:apache:subversion:1.3.2</software> | |
| <software>cpe:/a:apache:subversion:1.4.0</software> | |
| <software>cpe:/a:apache:subversion:1.4.1</software> | |
| <software>cpe:/a:apache:subversion:1.4.2</software> | |
| <software>cpe:/a:apache:subversion:1.4.3</software> | |
| <software>cpe:/a:apache:subversion:1.4.4</software> | |
| <software>cpe:/a:apache:subversion:1.4.5</software> | |
| <software>cpe:/a:apache:subversion:1.4.6</software> | |
| <software>cpe:/a:apache:subversion:1.5.0</software> | |
| <software>cpe:/a:apache:subversion:1.5.1</software> | |
| <software>cpe:/a:apache:subversion:1.5.2</software> | |
| <software>cpe:/a:apache:subversion:1.5.3</software> | |
| <software>cpe:/a:apache:subversion:1.5.4</software> | |
| <software>cpe:/a:apache:subversion:1.5.5</software> | |
| <software>cpe:/a:apache:subversion:1.5.6</software> | |
| <software>cpe:/a:apache:subversion:1.5.7</software> | |
| <software>cpe:/a:apache:subversion:1.5.8</software> | |
| <software>cpe:/a:apache:subversion:1.6.0</software> | |
| <software>cpe:/a:apache:subversion:1.6.1</software> | |
| <software>cpe:/a:apache:subversion:1.6.2</software> | |
| <software>cpe:/a:apache:subversion:1.6.3</software> | |
| <software>cpe:/a:apache:subversion:1.6.4</software> | |
| <software>cpe:/a:apache:subversion:1.6.5</software> | |
| <software>cpe:/a:apache:subversion:1.6.6</software> | |
| <software>cpe:/a:apache:subversion:1.6.7</software> | |
| <software>cpe:/a:apache:subversion:1.6.8</software> | |
| <software>cpe:/a:apache:subversion:1.6.9</software> | |
| <software>cpe:/a:apache:subversion:1.6.10</software> | |
| <software>cpe:/a:apache:subversion:1.6.11</software> | |
| <software>cpe:/a:apache:subversion:1.6.12</software> | |
| <software>cpe:/a:apache:subversion:1.6.13</software> | |
| <software>cpe:/a:apache:subversion:1.6.14</software> | |
| <software>cpe:/a:apache:subversion:1.6.15</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:subversion:1.6.16</software> | |
| <software>cpe:/a:apache:subversion:m1</software> | |
| <software>cpe:/a:apache:subversion:m2</software> | |
| <software>cpe:/a:apache:subversion:m3</software> | |
| <software>cpe:/a:apache:subversion:m4%2fm5</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2011-0419</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html</url> | |
| <name>APPLE-SA-2011-10-12-3</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22</url> | |
| <name>http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_22.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_22.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT5002</url> | |
| <name>http://support.apple.com/kb/HT5002</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902</url> | |
| <name>http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1098188</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1098188</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=revision&revision=1098799</url> | |
| <name>http://svn.apache.org/viewvc?view=revision&revision=1098799</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/apr/Announcement1.x.html</url> | |
| <name>http://www.apache.org/dist/apr/Announcement1.x.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/apr/CHANGES-APR-1.4</url> | |
| <name>http://www.apache.org/dist/apr/CHANGES-APR-1.4</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement2.2.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement2.2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15</url> | |
| <name>http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=703390</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=703390</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2011/dsa-2237</url> | |
| <name>DSA-2237</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=132033751509019&w=2</url> | |
| <name>HPSBMU02704</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=131551295528105&w=2</url> | |
| <name>SSRT100606</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=131731002122529&w=2</url> | |
| <name>SSRT100626</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134987041210674&w=2</url> | |
| <name>SSRT100966</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2011:084</url> | |
| <name>MDVSA-2011:084</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://cxib.net/stuff/apache.fnmatch.phps</url> | |
| <name>http://cxib.net/stuff/apache.fnmatch.phps</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://cxib.net/stuff/apr_fnmatch.txts</url> | |
| <name>http://cxib.net/stuff/apr_fnmatch.txts</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.mail-archive.com/dev@apr.apache.org/msg23961.html</url> | |
| <name>[dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.mail-archive.com/dev@apr.apache.org/msg23960.html</url> | |
| <name>[dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.mail-archive.com/dev@apr.apache.org/msg23976.html</url> | |
| <name>[dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0507.html</url> | |
| <name>RHSA-2011:0507</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0896.html</url> | |
| <name>RHSA-2011:0896</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0897.html</url> | |
| <name>RHSA-2011:0897</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1025527</url> | |
| <name>1025527</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/8246</url> | |
| <name>8246</name> | |
| </reference> | |
| <reference> | |
| <source>SREASONRES</source> | |
| <url>http://securityreason.com/achievement_securityalert/98</url> | |
| <name>20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html</url> | |
| <name>SUSE-SU-2011:1229</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:apache:http_server:2.2.14</software> | |
| <software>cpe:/a:apache:http_server:2.2.15</software> | |
| <software>cpe:/a:apache:http_server:2.2.16</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.17</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.1</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.2</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.2-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.3</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.3-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.4</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.5</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.6</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.7</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.7-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.8</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.9</software> | |
| <software>cpe:/a:apache:portable_runtime:0.9.16-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.0</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.1</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.2</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.3</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.4</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.4-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.5</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.6</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.6-dev</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.7</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.8</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.9</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.10</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.11</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.12</software> | |
| <software>cpe:/a:apache:portable_runtime:1.3.13</software> | |
| <software>cpe:/a:apache:portable_runtime:1.4.0</software> | |
| <software>cpe:/a:apache:portable_runtime:1.4.1</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:portable_runtime:1.4.2</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2010-1151</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')</cwe> | |
| <description>Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/39538</url> | |
| <name>39538</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=578168</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=578168</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041326.html</url> | |
| <name>FEDORA-2010-6323</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041340.html</url> | |
| <name>FEDORA-2010-6359</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2010:081</url> | |
| <name>MDVSA-2010:081</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0908</url> | |
| <name>ADV-2010-0908</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1148</url> | |
| <name>ADV-2010-1148</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:apache_http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2010-0010</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-189 Numeric Errors</cwe> | |
| <description>Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/37966</url> | |
| <name>37966</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/509185/100/0/threaded</url> | |
| <name>20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/dev/dist/CHANGES_1.3.42</url> | |
| <name>http://httpd.apache.org/dev/dist/CHANGES_1.3.42</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html</url> | |
| <name>20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://blog.pi3.com.pl/?p=69</url> | |
| <name>http://blog.pi3.com.pl/?p=69</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt</url> | |
| <name>http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://site.pi3.com.pl/adv/mod_proxy.txt</url> | |
| <name>http://site.pi3.com.pl/adv/mod_proxy.txt</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023533</url> | |
| <name>1023533</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html</url> | |
| <name>SUSE-SR:2010:010</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0240</url> | |
| <name>ADV-2010-0240</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1001</url> | |
| <name>ADV-2010-1001</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/55941</url> | |
| <name>modproxy-approxysendfb-bo(55941)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.40</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.41</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-3555</name> | |
| <cvssScore>5.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-310 Cryptographic Issues</cwe> | |
| <description>The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848</url> | |
| <name>IC67848</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054</url> | |
| <name>IC68054</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055</url> | |
| <name>IC68055</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only</url> | |
| <name>PM00675</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247</url> | |
| <name>PM12247</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html</url> | |
| <name>APPLE-SA-2010-01-19-1</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2010//May/msg00001.html</url> | |
| <name>APPLE-SA-2010-05-18-1</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2010//May/msg00002.html</url> | |
| <name>APPLE-SA-2010-05-18-2</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/36935</url> | |
| <name>36935</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507952/100/0/threaded</url> | |
| <name>20091118 TLS / SSLv3 vulnerability explained (DRAFT)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/508075/100/0/threaded</url> | |
| <name>20091124 rPSA-2009-0155-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/508130/100/0/threaded</url> | |
| <name>20091130 TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/515055/100/0/threaded</url> | |
| <name>20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded</url> | |
| <name>20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2013-11/0120.html</url> | |
| <name>20131121 ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA10-222A.html</url> | |
| <name>TA10-222A</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA10-287A.html</url> | |
| <name>TA10-287A</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/120541</url> | |
| <name>VU#120541</name> | |
| </reference> | |
| <reference> | |
| <source>CISCO</source> | |
| <url>http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml</url> | |
| <name>20091109 Transport Layer Security Renegotiation Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during</url> | |
| <name>http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kbase.redhat.com/faq/docs/DOC-20491</url> | |
| <name>http://kbase.redhat.com/faq/docs/DOC-20491</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT4004</url> | |
| <name>http://support.apple.com/kb/HT4004</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT4170</url> | |
| <name>http://support.apple.com/kb/HT4170</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT4171</url> | |
| <name>http://support.apple.com/kb/HT4171</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/css/P8/documents/100070150</url> | |
| <name>http://support.avaya.com/css/P8/documents/100070150</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/css/P8/documents/100081611</url> | |
| <name>http://support.avaya.com/css/P8/documents/100081611</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/css/P8/documents/100114315</url> | |
| <name>http://support.avaya.com/css/P8/documents/100114315</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/css/P8/documents/100114327</url> | |
| <name>http://support.avaya.com/css/P8/documents/100114327</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.citrix.com/article/CTX123359</url> | |
| <name>http://support.citrix.com/article/CTX123359</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES</url> | |
| <name>http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released</url> | |
| <name>http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://sysoev.ru/nginx/patch.cve-2009-3555.txt</url> | |
| <name>http://sysoev.ru/nginx/patch.cve-2009-3555.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html</url> | |
| <name>http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0155</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0155</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21426108</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21426108</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21432298</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21432298</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg24006386</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg24006386</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg24025312</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg24025312</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.arubanetworks.com/support/alerts/aid-020810.txt</url> | |
| <name>http://www.arubanetworks.com/support/alerts/aid-020810.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html</url> | |
| <name>http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.ingate.com/Relnote.php?ver=481</url> | |
| <name>http://www.ingate.com/Relnote.php?ver=481</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</url> | |
| <name>http://www.mozilla.org/security/announce/2010/mfsa2010-22.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.openoffice.org/security/cves/CVE-2009-3555.html</url> | |
| <name>http://www.openoffice.org/security/cves/CVE-2009-3555.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.openssl.org/news/secadv_20091111.txt</url> | |
| <name>http://www.openssl.org/news/secadv_20091111.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.opera.com/docs/changelogs/unix/1060/</url> | |
| <name>http://www.opera.com/docs/changelogs/unix/1060/</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.opera.com/support/search/view/944/</url> | |
| <name>http://www.opera.com/support/search/view/944/</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c</url> | |
| <name>http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2010-0019.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2010-0019.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2011-0003.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2011-0003.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html</url> | |
| <name>http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.mozilla.org/show_bug.cgi?id=545755</url> | |
| <name>https://bugzilla.mozilla.org/show_bug.cgi?id=545755</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=533125</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=533125</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888</url> | |
| <name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://kb.bluecoat.com/index?page=content&id=SA50</url> | |
| <name>https://kb.bluecoat.com/index?page=content&id=SA50</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1934</url> | |
| <name>DSA-1934</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2011/dsa-2141</url> | |
| <name>DSA-2141</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2015/dsa-3253</url> | |
| <name>DSA-3253</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html</url> | |
| <name>FEDORA-2009-12229</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html</url> | |
| <name>FEDORA-2009-12305</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html</url> | |
| <name>FEDORA-2009-12604</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html</url> | |
| <name>FEDORA-2009-12606</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html</url> | |
| <name>FEDORA-2009-12750</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html</url> | |
| <name>FEDORA-2009-12775</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html</url> | |
| <name>FEDORA-2009-12782</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html</url> | |
| <name>FEDORA-2009-12968</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html</url> | |
| <name>FEDORA-2010-16240</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html</url> | |
| <name>FEDORA-2010-16294</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html</url> | |
| <name>FEDORA-2010-16312</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html</url> | |
| <name>FEDORA-2010-5357</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html</url> | |
| <name>FEDORA-2010-5942</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html</url> | |
| <name>FEDORA-2010-6131</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2009/Nov/139</url> | |
| <name>20091111 Re: SSL/TLS MiTM PoC</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200912-01.xml</url> | |
| <name>GLSA-200912-01</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-201203-22.xml</url> | |
| <name>GLSA-201203-22</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-201406-32.xml</url> | |
| <name>GLSA-201406-32</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041</url> | |
| <name>HPSBGN02562</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=132077688910227&w=2</url> | |
| <name>HPSBHF02706</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=127419602507642&w=2</url> | |
| <name>HPSBMA02534</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/522176</url> | |
| <name>HPSBMU02759</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=134254866602253&w=2</url> | |
| <name>HPSBMU02799</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686</url> | |
| <name>SSRT090249</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=126150535619567&w=2</url> | |
| <name>SSRT090264</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=127128920008563&w=2</url> | |
| <name>SSRT100058</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=127557596201693&w=2</url> | |
| <name>SSRT100089</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751</url> | |
| <name>SSRT100179</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995</url> | |
| <name>SSRT100219</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133469267822771&w=2</url> | |
| <name>SSRT100825</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=142660345230545&w=2</url> | |
| <name>SSRT101846</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2010:076</url> | |
| <name>MDVSA-2010:076</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2010:084</url> | |
| <name>MDVSA-2010:084</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2010:089</url> | |
| <name>MDVSA-2010:089</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html</url> | |
| <name>http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://blogs.iss.net/archive/sslmitmiscsrf.html</url> | |
| <name>http://blogs.iss.net/archive/sslmitmiscsrf.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://clicky.me/tlsvuln</url> | |
| <name>http://clicky.me/tlsvuln</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://extendedsubset.com/?p=8</url> | |
| <name>http://extendedsubset.com/?p=8</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://extendedsubset.com/Renegotiating_TLS.pdf</url> | |
| <name>http://extendedsubset.com/Renegotiating_TLS.pdf</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.betanews.com/article/1257452450</url> | |
| <name>http://www.betanews.com/article/1257452450</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html</url> | |
| <name>http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.links.org/?p=780</url> | |
| <name>http://www.links.org/?p=780</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.links.org/?p=786</url> | |
| <name>http://www.links.org/?p=786</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.links.org/?p=789</url> | |
| <name>http://www.links.org/?p=789</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html</url> | |
| <name>http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.tombom.co.uk/blog/?p=85</url> | |
| <name>http://www.tombom.co.uk/blog/?p=85</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html</url> | |
| <name>http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://bugzilla.mozilla.org/show_bug.cgi?id=526689</url> | |
| <name>https://bugzilla.mozilla.org/show_bug.cgi?id=526689</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html</url> | |
| <name>https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt</url> | |
| <name>https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2</url> | |
| <name>[announce] 20091107 CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=cryptography&m=125752275331877&w=2</url> | |
| <name>[cryptography] 20091105 OpenSSL 0.9.8l released</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html</url> | |
| <name>[gnutls-devel] 20091105 Re: TLS renegotiation MITM</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/05/3</url> | |
| <name>[oss-security] 20091105 CVE-2009-3555 for TLS renegotiation MITM attacks</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/05/5</url> | |
| <name>[oss-security] 20091105 Re: CVE-2009-3555 for TLS renegotiation MITM attacks</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/06/3</url> | |
| <name>[oss-security] 20091107 Re: CVE-2009-3555 for TLS renegotiation MITM attacks</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/07/3</url> | |
| <name>[oss-security] 20091107 Re: [TLS] CVE-2009-3555 for TLS renegotiation MITM attacks</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/20/1</url> | |
| <name>[oss-security] 20091120 CVEs for nginx</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/11/23/10</url> | |
| <name>[oss-security] 20091123 Re: CVEs for nginx</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.ietf.org/mail-archive/web/tls/current/msg03928.html</url> | |
| <name>[tls] 20091104 MITM attack on delayed TLS-client auth through renegotiation</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.ietf.org/mail-archive/web/tls/current/msg03948.html</url> | |
| <name>[tls] 20091104 TLS renegotiation issue</name> | |
| </reference> | |
| <reference> | |
| <source>MS</source> | |
| <url>http://www.microsoft.com/technet/security/Bulletin/MS10-049.mspx</url> | |
| <name>MS10-049</name> | |
| </reference> | |
| <reference> | |
| <source>OPENBSD</source> | |
| <url>http://openbsd.org/errata45.html#010_openssl</url> | |
| <name>[4.5] 010: SECURITY FIX: November 26, 2009</name> | |
| </reference> | |
| <reference> | |
| <source>OPENBSD</source> | |
| <url>http://openbsd.org/errata46.html#004_openssl</url> | |
| <name>[4.6] 004: SECURITY FIX: November 26, 2009</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0119.html</url> | |
| <name>RHSA-2010:0119</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0130.html</url> | |
| <name>RHSA-2010:0130</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0155.html</url> | |
| <name>RHSA-2010:0155</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0165.html</url> | |
| <name>RHSA-2010:0165</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0167.html</url> | |
| <name>RHSA-2010:0167</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0337.html</url> | |
| <name>RHSA-2010:0337</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0338.html</url> | |
| <name>RHSA-2010:0338</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0339.html</url> | |
| <name>RHSA-2010:0339</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0768.html</url> | |
| <name>RHSA-2010:0768</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0770.html</url> | |
| <name>RHSA-2010:0770</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0786.html</url> | |
| <name>RHSA-2010:0786</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0807.html</url> | |
| <name>RHSA-2010:0807</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0865.html</url> | |
| <name>RHSA-2010:0865</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0986.html</url> | |
| <name>RHSA-2010:0986</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2010-0987.html</url> | |
| <name>RHSA-2010:0987</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2011-0880.html</url> | |
| <name>RHSA-2011:0880</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1023148</url> | |
| <name>1023148</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023163</url> | |
| <name>1023163</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023204</url> | |
| <name>1023204</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023205</url> | |
| <name>1023205</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023206</url> | |
| <name>1023206</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023207</url> | |
| <name>1023207</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023208</url> | |
| <name>1023208</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023209</url> | |
| <name>1023209</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023210</url> | |
| <name>1023210</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023211</url> | |
| <name>1023211</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023212</url> | |
| <name>1023212</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023213</url> | |
| <name>1023213</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023214</url> | |
| <name>1023214</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023215</url> | |
| <name>1023215</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023216</url> | |
| <name>1023216</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023217</url> | |
| <name>1023217</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023218</url> | |
| <name>1023218</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023219</url> | |
| <name>1023219</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023224</url> | |
| <name>1023224</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023243</url> | |
| <name>1023243</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023270</url> | |
| <name>1023270</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023271</url> | |
| <name>1023271</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023272</url> | |
| <name>1023272</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023273</url> | |
| <name>1023273</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023274</url> | |
| <name>1023274</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023275</url> | |
| <name>1023275</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023411</url> | |
| <name>1023411</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023426</url> | |
| <name>1023426</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023427</url> | |
| <name>1023427</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1023428</url> | |
| <name>1023428</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1024789</url> | |
| <name>1024789</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446</url> | |
| <name>SSA:2009-320-01</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1</url> | |
| <name>1021653</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1</url> | |
| <name>1021752</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1</url> | |
| <name>273029</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1</url> | |
| <name>273350</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1</url> | |
| <name>274990</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html</url> | |
| <name>SUSE-SA:2009:057</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html</url> | |
| <name>SUSE-SA:2010:061</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html</url> | |
| <name>SUSE-SR:2010:008</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html</url> | |
| <name>SUSE-SR:2010:011</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html</url> | |
| <name>SUSE-SR:2010:012</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html</url> | |
| <name>SUSE-SR:2010:013</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html</url> | |
| <name>SUSE-SR:2010:019</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html</url> | |
| <name>SUSE-SR:2010:024</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html</url> | |
| <name>SUSE-SU-2011:0847</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html</url> | |
| <name>openSUSE-SU-2011:0845</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-1010-1</url> | |
| <name>USN-1010-1</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://ubuntu.com/usn/usn-923-1</url> | |
| <name>USN-923-1</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-927-1</url> | |
| <name>USN-927-1</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-927-4</url> | |
| <name>USN-927-4</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-927-5</url> | |
| <name>USN-927-5</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3164</url> | |
| <name>ADV-2009-3164</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3165</url> | |
| <name>ADV-2009-3165</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3205</url> | |
| <name>ADV-2009-3205</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3220</url> | |
| <name>ADV-2009-3220</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3310</url> | |
| <name>ADV-2009-3310</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3313</url> | |
| <name>ADV-2009-3313</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3353</url> | |
| <name>ADV-2009-3353</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3354</url> | |
| <name>ADV-2009-3354</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3484</url> | |
| <name>ADV-2009-3484</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3521</url> | |
| <name>ADV-2009-3521</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3587</url> | |
| <name>ADV-2009-3587</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0086</url> | |
| <name>ADV-2010-0086</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0173</url> | |
| <name>ADV-2010-0173</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0748</url> | |
| <name>ADV-2010-0748</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0848</url> | |
| <name>ADV-2010-0848</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0916</url> | |
| <name>ADV-2010-0916</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0933</url> | |
| <name>ADV-2010-0933</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0982</url> | |
| <name>ADV-2010-0982</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/0994</url> | |
| <name>ADV-2010-0994</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1054</url> | |
| <name>ADV-2010-1054</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1107</url> | |
| <name>ADV-2010-1107</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1191</url> | |
| <name>ADV-2010-1191</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1350</url> | |
| <name>ADV-2010-1350</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1639</url> | |
| <name>ADV-2010-1639</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1673</url> | |
| <name>ADV-2010-1673</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1793</url> | |
| <name>ADV-2010-1793</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/2010</url> | |
| <name>ADV-2010-2010</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/2745</url> | |
| <name>ADV-2010-2745</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/3069</url> | |
| <name>ADV-2010-3069</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/3086</url> | |
| <name>ADV-2010-3086</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/3126</url> | |
| <name>ADV-2010-3126</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2011/0032</url> | |
| <name>ADV-2011-0032</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2011/0033</url> | |
| <name>ADV-2011-0033</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2011/0086</url> | |
| <name>ADV-2011-0086</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/54158</url> | |
| <name>tls-renegotiation-weak-security(54158)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.46::win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.58::win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.7</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.13</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.16</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.17</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.18</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.19</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.20</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.21</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.22</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.23</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.24</software> | |
| <software>cpe:/a:gnu:gnutls:1.0.25</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.13</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.14</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.15</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.16</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.17</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.18</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.19</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.20</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.21</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.22</software> | |
| <software>cpe:/a:gnu:gnutls:1.1.23</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.4</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.5</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.6</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.7</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.8</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.8.1a1</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.9</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.10</software> | |
| <software>cpe:/a:gnu:gnutls:1.2.11</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.4</software> | |
| <software>cpe:/a:gnu:gnutls:1.3.5</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.4</software> | |
| <software>cpe:/a:gnu:gnutls:1.4.5</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.4</software> | |
| <software>cpe:/a:gnu:gnutls:1.5.5</software> | |
| <software>cpe:/a:gnu:gnutls:1.6.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.6.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.6.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.6.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.0</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.1</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.2</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.3</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.4</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.5</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.6</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.7</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.8</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.9</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.10</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.11</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.12</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.13</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.14</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.15</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.16</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.17</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.18</software> | |
| <software>cpe:/a:gnu:gnutls:1.7.19</software> | |
| <software>cpe:/a:gnu:gnutls:2.0.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.0.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.0.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.0.3</software> | |
| <software>cpe:/a:gnu:gnutls:2.0.4</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.3</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.4</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.5</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.6</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.7</software> | |
| <software>cpe:/a:gnu:gnutls:2.1.8</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.3</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.4</software> | |
| <software>cpe:/a:gnu:gnutls:2.2.5</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.3</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.4</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.5</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.6</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.7</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.8</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.9</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.10</software> | |
| <software>cpe:/a:gnu:gnutls:2.3.11</software> | |
| <software>cpe:/a:gnu:gnutls:2.4.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.4.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.4.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.5.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.0</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.1</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.2</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.3</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.4</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.5</software> | |
| <software>cpe:/a:gnu:gnutls:2.6.6</software> | |
| <software>cpe:/a:gnu:gnutls:2.8.0</software> | |
| <software allPreviousVersion="true">cpe:/a:gnu:gnutls:2.8.1</software> | |
| <software>cpe:/a:microsoft:iis:7.0</software> | |
| <software>cpe:/a:mozilla:nss:3.0</software> | |
| <software>cpe:/a:mozilla:nss:3.2</software> | |
| <software>cpe:/a:mozilla:nss:3.2.1</software> | |
| <software>cpe:/a:mozilla:nss:3.3</software> | |
| <software>cpe:/a:mozilla:nss:3.3.1</software> | |
| <software>cpe:/a:mozilla:nss:3.3.2</software> | |
| <software>cpe:/a:mozilla:nss:3.4</software> | |
| <software>cpe:/a:mozilla:nss:3.4.1</software> | |
| <software>cpe:/a:mozilla:nss:3.4.2</software> | |
| <software>cpe:/a:mozilla:nss:3.4.3</software> | |
| <software>cpe:/a:mozilla:nss:3.5</software> | |
| <software>cpe:/a:mozilla:nss:3.6</software> | |
| <software>cpe:/a:mozilla:nss:3.6.1</software> | |
| <software>cpe:/a:mozilla:nss:3.7</software> | |
| <software>cpe:/a:mozilla:nss:3.7.1</software> | |
| <software>cpe:/a:mozilla:nss:3.7.2</software> | |
| <software>cpe:/a:mozilla:nss:3.7.3</software> | |
| <software>cpe:/a:mozilla:nss:3.7.5</software> | |
| <software>cpe:/a:mozilla:nss:3.7.7</software> | |
| <software>cpe:/a:mozilla:nss:3.8</software> | |
| <software>cpe:/a:mozilla:nss:3.9</software> | |
| <software>cpe:/a:mozilla:nss:3.9.5</software> | |
| <software>cpe:/a:mozilla:nss:3.10</software> | |
| <software>cpe:/a:mozilla:nss:3.11.2</software> | |
| <software>cpe:/a:mozilla:nss:3.11.4</software> | |
| <software>cpe:/a:mozilla:nss:3.11.7</software> | |
| <software>cpe:/a:mozilla:nss:3.11.8</software> | |
| <software>cpe:/a:mozilla:nss:3.12</software> | |
| <software>cpe:/a:mozilla:nss:3.12.1</software> | |
| <software allPreviousVersion="true">cpe:/a:mozilla:nss:3.12.2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.1c</software> | |
| <software>cpe:/a:openssl:openssl:0.9.2b</software> | |
| <software>cpe:/a:openssl:openssl:0.9.3</software> | |
| <software>cpe:/a:openssl:openssl:0.9.3a</software> | |
| <software>cpe:/a:openssl:openssl:0.9.4</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5:beta1</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5:beta2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5a</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5a:beta1</software> | |
| <software>cpe:/a:openssl:openssl:0.9.5a:beta2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6:beta1</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6:beta2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6:beta3</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6a</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6a:beta1</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6a:beta2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6a:beta3</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6b</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6c</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6d</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6e</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6f</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6g</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6h</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6i</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6j</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6k</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6l</software> | |
| <software>cpe:/a:openssl:openssl:0.9.6m</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta1</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta2</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta3</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta4</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta5</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7:beta6</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7a</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7b</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7c</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7d</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7e</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7f</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7g</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7h</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7i</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7j</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7k</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7l</software> | |
| <software>cpe:/a:openssl:openssl:0.9.7m</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8a</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8b</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8c</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8d</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8e</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8f</software> | |
| <software>cpe:/a:openssl:openssl:0.9.8g</software> | |
| <software allPreviousVersion="true">cpe:/a:openssl:openssl:0.9.8h</software> | |
| <software>cpe:/a:openssl:openssl:1.0::openvms</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-3095</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-264 Permissions, Privileges, and Access Controls</cwe> | |
| <description>The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html</url> | |
| <name>APPLE-SA-2010-03-29-1</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/508075/100/0/threaded</url> | |
| <name>20091124 rPSA-2009-0155-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT4077</url> | |
| <name>http://support.apple.com/kb/HT4077</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0155</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0155</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=522209</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=522209</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1934</url> | |
| <name>DSA-1934</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html</url> | |
| <name>FEDORA-2009-12604</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html</url> | |
| <name>FEDORA-2009-12606</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=126998684522511&w=2</url> | |
| <name>SSRT090244</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=127557640302499&w=2</url> | |
| <name>SSRT100108</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133355494609819&w=2</url> | |
| <name>SSRT100782</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://intevydis.com/vd-list.shtml</url> | |
| <name>http://intevydis.com/vd-list.shtml</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html</url> | |
| <name>SUSE-SA:2009:050</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-2699</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/36596</url> | |
| <name>36596</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_2.2.14</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_2.2.14</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://issues.apache.org/bugzilla/show_bug.cgi?id=47645</url> | |
| <name>https://issues.apache.org/bugzilla/show_bug.cgi?id=47645</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=133355494609819&w=2</url> | |
| <name>SSRT100782</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1022988</url> | |
| <name>1022988</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/53666</url> | |
| <name>apache-solaris-pollset-dos(53666)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:apr:0.9.7</software> | |
| <software>cpe:/a:apache:apr:0.9.17</software> | |
| <software>cpe:/a:apache:apr:0.9.18</software> | |
| <software>cpe:/a:apache:apr:1.2.1</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:apr:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.7</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.13</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-1955</name> | |
| <cvssScore>7.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342</url> | |
| <name>PK88342</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241</url> | |
| <name>PK91241</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478</url> | |
| <name>PK99478</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html</url> | |
| <name>APPLE-SA-2009-11-09-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/35253</url> | |
| <name>35253</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/506053/100/0/threaded</url> | |
| <name>20090824 rPSA-2009-0123-1 apr-util</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3937</url> | |
| <name>http://support.apple.com/kb/HT3937</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=781403</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=781403</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0123</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0123</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg27014463</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg27014463</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url> | |
| <name>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1812</url> | |
| <name>DSA-1812</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html</url> | |
| <name>FEDORA-2009-5969</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html</url> | |
| <name>FEDORA-2009-6014</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html</url> | |
| <name>FEDORA-2009-6261</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200907-03.xml</url> | |
| <name>GLSA-200907-03</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=129190899612998&w=2</url> | |
| <name>HPSBUX02612</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2009:131</url> | |
| <name>MDVSA-2009:131</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>MILW0RM</source> | |
| <url>http://www.milw0rm.com/exploits/8842</url> | |
| <name>8842</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apr-dev&m=124396021826125&w=2</url> | |
| <name>[apr-dev] 20090602 [PATCH] prevent "billion laughs" attack against expat</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://www.openwall.com/lists/oss-security/2009/06/03/4</url> | |
| <name>[oss-security] 20090603 CVE request: "billion laughs" attack against Apache APR</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1107.html</url> | |
| <name>RHSA-2009:1107</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1108.html</url> | |
| <name>RHSA-2009:1108</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210</url> | |
| <name>SSA:2009-167-02</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html</url> | |
| <name>SUSE-SR:2010:011</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-786-1</url> | |
| <name>USN-786-1</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-787-1</url> | |
| <name>USN-787-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/1907</url> | |
| <name>ADV-2009-1907</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3184</url> | |
| <name>ADV-2009-3184</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1107</url> | |
| <name>ADV-2010-1107</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:apr-util:0.9.1</software> | |
| <software>cpe:/a:apache:apr-util:0.9.2</software> | |
| <software>cpe:/a:apache:apr-util:0.9.3</software> | |
| <software>cpe:/a:apache:apr-util:0.9.4</software> | |
| <software>cpe:/a:apache:apr-util:0.9.5</software> | |
| <software>cpe:/a:apache:apr-util:1.0</software> | |
| <software>cpe:/a:apache:apr-util:1.0.1</software> | |
| <software>cpe:/a:apache:apr-util:1.0.2</software> | |
| <software>cpe:/a:apache:apr-util:1.1.0</software> | |
| <software>cpe:/a:apache:apr-util:1.1.1</software> | |
| <software>cpe:/a:apache:apr-util:1.1.2</software> | |
| <software>cpe:/a:apache:apr-util:1.2.1</software> | |
| <software>cpe:/a:apache:apr-util:1.2.2</software> | |
| <software>cpe:/a:apache:apr-util:1.2.6</software> | |
| <software>cpe:/a:apache:apr-util:1.2.7</software> | |
| <software>cpe:/a:apache:apr-util:1.2.8</software> | |
| <software>cpe:/a:apache:apr-util:1.3.0</software> | |
| <software>cpe:/a:apache:apr-util:1.3.1</software> | |
| <software>cpe:/a:apache:apr-util:1.3.2</software> | |
| <software>cpe:/a:apache:apr-util:1.3.3</software> | |
| <software>cpe:/a:apache:apr-util:1.3.4</software> | |
| <software>cpe:/a:apache:apr-util:1.3.5</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:apr-util:1.3.6</software> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-1891</name> | |
| <cvssScore>7.1</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK91361</url> | |
| <name>PK91361</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480</url> | |
| <name>PK99480</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html</url> | |
| <name>APPLE-SA-2009-11-09-1</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507857/100/0/threaded</url> | |
| <name>20091113 rPSA-2009-0142-2 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3937</url> | |
| <name>http://support.apple.com/kb/HT3937</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0142</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0142</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0142</url> | |
| <name>http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0142</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=509125</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=509125</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1834</url> | |
| <name>DSA-1834</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html</url> | |
| <name>FEDORA-2009-8812</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200907-04.xml</url> | |
| <name>GLSA-200907-04</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=129190899612998&w=2</url> | |
| <name>SSRT100345</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2009:149</url> | |
| <name>MDVSA-2009:149</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712</url> | |
| <name>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apache-httpd-dev&m=124621326524824&w=2</url> | |
| <name>[apache-httpd-dev] 20090628 mod_deflate DoS</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2</url> | |
| <name>[apache-httpd-dev] 20090703 Re: mod_deflate DoS</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>https://rhn.redhat.com/errata/RHSA-2009-1148.html</url> | |
| <name>RHSA-2009:1148</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1156.html</url> | |
| <name>RHSA-2009:1156</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1022529</url> | |
| <name>1022529</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html</url> | |
| <name>SUSE-SA:2009:050</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-802-1</url> | |
| <name>USN-802-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/1841</url> | |
| <name>ADV-2009-1841</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3184</url> | |
| <name>ADV-2009-3184</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.7</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.11</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-1890</name> | |
| <cvssScore>7.1</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-189 Numeric Errors</cwe> | |
| <description>The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259</url> | |
| <name>PK91259</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480</url> | |
| <name>PK99480</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html</url> | |
| <name>APPLE-SA-2009-11-09-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/35565</url> | |
| <name>35565</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507852/100/0/threaded</url> | |
| <name>20091112 rPSA-2009-0142-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507857/100/0/threaded</url> | |
| <name>20091113 rPSA-2009-0142-2 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3937</url> | |
| <name>http://support.apple.com/kb/HT3937</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587</url> | |
| <name>http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=790587</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=790587</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0142</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0142</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1834</url> | |
| <name>DSA-1834</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html</url> | |
| <name>FEDORA-2009-8812</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200907-04.xml</url> | |
| <name>GLSA-200907-04</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=129190899612998&w=2</url> | |
| <name>HPSBUX02612</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2009:149</url> | |
| <name>MDVSA-2009:149</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2013:150</url> | |
| <name>MDVSA-2013:150</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>https://rhn.redhat.com/errata/RHSA-2009-1148.html</url> | |
| <name>RHSA-2009:1148</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1156.html</url> | |
| <name>RHSA-2009:1156</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1022509</url> | |
| <name>1022509</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html</url> | |
| <name>SUSE-SA:2009:050</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-802-1</url> | |
| <name>USN-802-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3184</url> | |
| <name>ADV-2009-3184</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:::win32</software> | |
| <software>cpe:/a:apache:http_server:0.8.11</software> | |
| <software>cpe:/a:apache:http_server:0.8.14</software> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.6::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.9::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.11::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.12::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.13::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::mac_os</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.15::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.16::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.17::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.18::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.19::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.20::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.22::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.23::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.24::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.25::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.26::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.46::win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.58::win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.2::windows</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.3::windows</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.7</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.3.0</software> | |
| <software>cpe:/a:apache:http_server:2.3.1</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.3.2</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2009-1195</name> | |
| <cvssScore>4.9</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-16 Configuration</cwe> | |
| <description>The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html</url> | |
| <name>APPLE-SA-2009-11-09-1</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/35115</url> | |
| <name>35115</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507852/100/0/threaded</url> | |
| <name>20091112 rPSA-2009-0142-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/507857/100/0/threaded</url> | |
| <name>20091113 rPSA-2009-0142-2 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3937</url> | |
| <name>http://support.apple.com/kb/HT3937</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=772997</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=772997</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2009-0142</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2009-0142</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=489436</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=489436</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2009/dsa-1816</url> | |
| <name>DSA-1816</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html</url> | |
| <name>FEDORA-2009-8812</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200907-04.xml</url> | |
| <name>GLSA-200907-04</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=129190899612998&w=2</url> | |
| <name>HPSBUX02612</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2009:124</url> | |
| <name>MDVSA-2009:124</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apache-httpd-dev&m=124048996106302&w=2</url> | |
| <name>[apache-httpd-dev] 20090423 Includes vs IncludesNoExec security issue - help needed</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1075.html</url> | |
| <name>RHSA-2009:1075</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2009-1156.html</url> | |
| <name>RHSA-2009:1156</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1022296</url> | |
| <name>1022296</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html</url> | |
| <name>SUSE-SA:2009:050</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-787-1</url> | |
| <name>USN-787-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/1444</url> | |
| <name>ADV-2009-1444</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/3184</url> | |
| <name>ADV-2009-3184</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/50808</url> | |
| <name>apache-allowoverrides-security-bypass(50808)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.2::windows</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.3::windows</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.7</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.11</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2008-2939</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK70197</url> | |
| <name>PK70197</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK70937</url> | |
| <name>PK70937</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/May/msg00002.html</url> | |
| <name>APPLE-SA-2009-05-12</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/30560</url> | |
| <name>30560</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/495180/100/0/threaded</url> | |
| <name>20080806 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/498566/100/0/threaded</url> | |
| <name>20081122 rPSA-2008-0327-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/498567/100/0/threaded</url> | |
| <name>20081122 rPSA-2008-0328-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA09-133A.html</url> | |
| <name>TA09-133A</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/663763</url> | |
| <name>VU#663763</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3549</url> | |
| <name>http://support.apple.com/kb/HT3549</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=682868</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=682868</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=682870</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=682870</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=682871</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=682871</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/Advisories:rPSA-2008-0327</url> | |
| <name>http://wiki.rpath.com/Advisories:rPSA-2008-0327</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328</url> | |
| <name>http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=123376588623823&w=2</url> | |
| <name>HPSBUX02401</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=125631037611762&w=2</url> | |
| <name>HPSBUX02465</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:194</url> | |
| <name>MDVSA-2008:194</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:195</url> | |
| <name>MDVSA-2008:195</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2009:124</url> | |
| <name>MDVSA-2009:124</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.rapid7.com/advisories/R7-0033</url> | |
| <name>http://www.rapid7.com/advisories/R7-0033</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0966.html</url> | |
| <name>RHSA-2008:0966</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2008-0967.html</url> | |
| <name>RHSA-2008:0967</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1020635</url> | |
| <name>1020635</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1</url> | |
| <name>247666</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html</url> | |
| <name>SUSE-SR:2008:024</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-731-1</url> | |
| <name>USN-731-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/2315</url> | |
| <name>ADV-2008-2315</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/2461</url> | |
| <name>ADV-2008-2461</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/0320</url> | |
| <name>ADV-2009-0320</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/1297</url> | |
| <name>ADV-2009-1297</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/44223</url> | |
| <name>apache-modproxyftp-xss(44223)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software allPreviousVersion="true">cpe:/a:apple:mac_os_x:10.5.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2008-2579</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Unspecified vulnerability in the WebLogic Server Plugins for Apache, Sun and IIS web servers component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 has unknown impact and remote attack vectors.</description> | |
| <references> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00727143</url> | |
| <name>HPSBMA02133</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN81667751/index.html</url> | |
| <name>JVN#81667751</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000040.html</url> | |
| <name>JVNDB-2008-000040</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1020498</url> | |
| <name>1020498</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/2109/references</url> | |
| <name>ADV-2008-2109</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/2115</url> | |
| <name>ADV-2008-2115</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/43823</url> | |
| <name>oracle-weblogic-plugins-unauth-access(43823)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:microsoft:internet_information_server</software> | |
| <software>cpe:/a:oracle:bea_product_suite:6.1:sp7</software> | |
| <software>cpe:/a:oracle:bea_product_suite:7.0:sp7</software> | |
| <software>cpe:/a:oracle:bea_product_suite:8.1:sp6</software> | |
| <software>cpe:/a:oracle:bea_product_suite:9.0</software> | |
| <software>cpe:/a:oracle:bea_product_suite:9.1</software> | |
| <software>cpe:/a:oracle:bea_product_suite:9.2:mp3</software> | |
| <software>cpe:/a:oracle:bea_product_suite:10.0:mp1</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:6.1:sp7</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:7.0:sp7</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:8.1:sp6</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:9.0</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:9.1</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:9.2:mp3</software> | |
| <software>cpe:/a:oracle:weblogic_server_component:10.0:mp1</software> | |
| <software>cpe:/a:sun:java_system_web_server</software> | |
| <software>cpe:/a:sun:one_web_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2008-0456</name> | |
| <cvssScore>2.6</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>HIGH</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Low</severity> | |
| <cwe>CWE-94 Improper Control of Generation of Code ('Code Injection')</cwe> | |
| <description>CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2009/May/msg00002.html</url> | |
| <name>APPLE-SA-2009-05-12</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/27409</url> | |
| <name>27409</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/486847/100/0/threaded</url> | |
| <name>20080122 Apache mod_negotiation Xss and Http Response Splitting</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA09-133A.html</url> | |
| <name>TA09-133A</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.apple.com/kb/HT3549</url> | |
| <name>http://support.apple.com/kb/HT3549</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200803-19.xml</url> | |
| <name>GLSA-200803-19</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.mindedsecurity.com/MSA01150108.html</url> | |
| <name>http://www.mindedsecurity.com/MSA01150108.html</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-0130.html</url> | |
| <name>RHSA-2013:0130</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1019256</url> | |
| <name>1019256</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/3575</url> | |
| <name>3575</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/1297</url> | |
| <name>ADV-2009-1297</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/39893</url> | |
| <name>apache-modnegotiation-response-splitting(39893)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.39</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.61</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2008-0455</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/27409</url> | |
| <name>27409</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/486847/100/0/threaded</url> | |
| <name>20080122 Apache mod_negotiation Xss and Http Response Splitting</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200803-19.xml</url> | |
| <name>GLSA-200803-19</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.mindedsecurity.com/MSA01150108.html</url> | |
| <name>http://www.mindedsecurity.com/MSA01150108.html</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2012-1591.html</url> | |
| <name>RHSA-2012:1591</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2012-1592.html</url> | |
| <name>RHSA-2012:1592</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2012-1594.html</url> | |
| <name>RHSA-2012:1594</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2013-0130.html</url> | |
| <name>RHSA-2013:0130</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1019256</url> | |
| <name>1019256</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/3575</url> | |
| <name>3575</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/39867</url> | |
| <name>apache-modnegotiation-xss(39867)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-6750</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2007-01/0229.html</url> | |
| <name>20070105 Re: a cheesy Apache / IIS DoS vuln (+a question)</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017</url> | |
| <name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380</url> | |
| <name>https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=136612293908376&w=2</url> | |
| <name>SSRT101139</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://ha.ckers.org/slowloris/</url> | |
| <name>http://ha.ckers.org/slowloris/</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html</url> | |
| <name>openSUSE-SU-2012:0314</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/72345</url> | |
| <name>apache-server-http-dos(72345)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.4</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.2.6</software> | |
| <software>cpe:/a:apache:http_server:1.2.9</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.34</software> | |
| <software>cpe:/a:apache:http_server:1.3.35</software> | |
| <software>cpe:/a:apache:http_server:1.3.36</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:1.3.41</software> | |
| <software>cpe:/a:apache:http_server:1.3.42</software> | |
| <software>cpe:/a:apache:http_server:1.3.65</software> | |
| <software>cpe:/a:apache:http_server:1.3.68</software> | |
| <software>cpe:/a:apache:http_server:1.4.0</software> | |
| <software>cpe:/a:apache:http_server:1.99</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.0.63</software> | |
| <software>cpe:/a:apache:http_server:2.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.1</software> | |
| <software>cpe:/a:apache:http_server:2.1.2</software> | |
| <software>cpe:/a:apache:http_server:2.1.3</software> | |
| <software>cpe:/a:apache:http_server:2.1.4</software> | |
| <software>cpe:/a:apache:http_server:2.1.5</software> | |
| <software>cpe:/a:apache:http_server:2.1.6</software> | |
| <software>cpe:/a:apache:http_server:2.1.7</software> | |
| <software>cpe:/a:apache:http_server:2.1.8</software> | |
| <software>cpe:/a:apache:http_server:2.1.9</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.0</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| <software>cpe:/a:apache:http_server:2.2.8</software> | |
| <software>cpe:/a:apache:http_server:2.2.9</software> | |
| <software>cpe:/a:apache:http_server:2.2.10</software> | |
| <software>cpe:/a:apache:http_server:2.2.11</software> | |
| <software>cpe:/a:apache:http_server:2.2.12</software> | |
| <software>cpe:/a:apache:http_server:2.2.13</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.2.14</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-6388</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/search.wss?rs=0&q=PK59667&apar=only</url> | |
| <name>PK59667</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK62966</url> | |
| <name>PK62966</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK63273</url> | |
| <name>PK63273</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg24019245</url> | |
| <name>PK65782</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html</url> | |
| <name>APPLE-SA-2008-03-18</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008//May/msg00001.html</url> | |
| <name>APPLE-SA-2008-05-28</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/27237</url> | |
| <name>27237</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/494428/100/0/threaded</url> | |
| <name>20080716 rPSA-2008-0035-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/505990/100/0/threaded</url> | |
| <name>20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA08-150A.html</url> | |
| <name>TA08-150A</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=307562</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=307562</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_13.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_13.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_20.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_20.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_22.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_22.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=689039</url> | |
| <name>http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=689039</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200808e.html</url> | |
| <name>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200808e.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2008/05/023342-01.pdf</url> | |
| <name>http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2008/05/023342-01.pdf</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html</url> | |
| <name>FEDORA-2008-1695</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html</url> | |
| <name>FEDORA-2008-1711</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/498523/100/0/threaded</url> | |
| <name>HPSBMA02388</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/488082/100/0/threaded</url> | |
| <name>HPSBUX02313</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:014</url> | |
| <name>MDVSA-2008:014</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:015</url> | |
| <name>MDVSA-2008:015</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:016</url> | |
| <name>MDVSA-2008:016</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://lists.vmware.com/pipermail/security-announce/2009/000062.html</url> | |
| <name>[security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0004.html</url> | |
| <name>RHSA-2008:0004</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0005.html</url> | |
| <name>RHSA-2008:0005</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0006.html</url> | |
| <name>RHSA-2008:0006</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0007.html</url> | |
| <name>RHSA-2008:0007</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0008.html</url> | |
| <name>RHSA-2008:0008</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0009.html</url> | |
| <name>RHSA-2008:0009</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0261.html</url> | |
| <name>RHSA-2008:0261</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1019154</url> | |
| <name>1019154</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.595748</url> | |
| <name>SSA:2008-045-02</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/3541</url> | |
| <name>3541</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-233623-1</url> | |
| <name>233623</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html</url> | |
| <name>SUSE-SA:2008:021</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-575-1</url> | |
| <name>USN-575-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0047</url> | |
| <name>ADV-2008-0047</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0447/references</url> | |
| <name>ADV-2008-0447</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0554</url> | |
| <name>ADV-2008-0554</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0809/references</url> | |
| <name>ADV-2008-0809</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0924/references</url> | |
| <name>ADV-2008-0924</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0986/references</url> | |
| <name>ADV-2008-0986</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1224/references</url> | |
| <name>ADV-2008-1224</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1623/references</url> | |
| <name>ADV-2008-1623</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1697</url> | |
| <name>ADV-2008-1697</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/39472</url> | |
| <name>apache-status-page-xss(39472)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:1.3.38</software> | |
| <software>cpe:/a:apache:http_server:1.3.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-5156</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/29422</url> | |
| <name>29422</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/30677</url> | |
| <name>30677</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/480830/100/0/threaded</url> | |
| <name>20070927 [waraxe-2007-SA#057] - Unauthorized File Upload in SiteX CMS</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://sourceforge.net/forum/forum.php?forum_id=743930</url> | |
| <name>http://sourceforge.net/forum/forum.php?forum_id=743930</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://sourceforge.net/project/shownotes.php?release_id=546000</url> | |
| <name>http://sourceforge.net/project/shownotes.php?release_id=546000</name> | |
| </reference> | |
| <reference> | |
| <source>MILW0RM</source> | |
| <url>http://www.milw0rm.com/exploits/5618</url> | |
| <name>5618</name> | |
| </reference> | |
| <reference> | |
| <source>MILW0RM</source> | |
| <url>http://www.milw0rm.com/exploits/5688</url> | |
| <name>5688</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://dev.fckeditor.net/changeset/973</url> | |
| <name>http://dev.fckeditor.net/changeset/973</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://dev.fckeditor.net/ticket/1325</url> | |
| <name>http://dev.fckeditor.net/ticket/1325</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://downloads.securityfocus.com/vulnerabilities/exploits/30677.php</url> | |
| <name>http://downloads.securityfocus.com/vulnerabilities/exploits/30677.php</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.waraxe.us/advisory-57.html</url> | |
| <name>http://www.waraxe.us/advisory-57.html</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/3182</url> | |
| <name>3182</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/3464</url> | |
| <name>ADV-2007-3464</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/3465</url> | |
| <name>ADV-2007-3465</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/44455</url> | |
| <name>cardinal-upload-file-upload(44455)</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/42425</url> | |
| <name>lanai-upload-file-upload(42425)</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/42733</url> | |
| <name>syntaxcms-upload-file-upload(42733)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:fckeditor:fckeditor</software> | |
| <software>cpe:/a:sitex:sitex_cms:0.7.3_beta</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-5000</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK58024</url> | |
| <name>PK58024</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK58074</url> | |
| <name>PK58074</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK63273</url> | |
| <name>PK63273</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg24019245</url> | |
| <name>PK65782</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html</url> | |
| <name>APPLE-SA-2008-03-18</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008//May/msg00001.html</url> | |
| <name>APPLE-SA-2008-05-28</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/26838</url> | |
| <name>26838</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/494428/100/0/threaded</url> | |
| <name>20080716 rPSA-2008-0035-1 httpd mod_ssl</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/505990/100/0/threaded</url> | |
| <name>20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA08-150A.html</url> | |
| <name>TA08-150A</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=307562</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=307562</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_13.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_13.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_20.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_20.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/security/vulnerabilities_22.html</url> | |
| <name>http://httpd.apache.org/security/vulnerabilities_22.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200801e.html</url> | |
| <name>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200801e.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html</url> | |
| <name>FEDORA-2008-1695</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html</url> | |
| <name>FEDORA-2008-1711</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01345501</url> | |
| <name>SSRT080010</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/498523/100/0/threaded</url> | |
| <name>SSRT080059</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:014</url> | |
| <name>MDVSA-2008:014</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:015</url> | |
| <name>MDVSA-2008:015</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDVSA-2008:016</url> | |
| <name>MDVSA-2008:016</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://lists.vmware.com/pipermail/security-announce/2009/000062.html</url> | |
| <name>[security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0004.html</url> | |
| <name>RHSA-2008:0004</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0005.html</url> | |
| <name>RHSA-2008:0005</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0006.html</url> | |
| <name>RHSA-2008:0006</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0007.html</url> | |
| <name>RHSA-2008:0007</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0008.html</url> | |
| <name>RHSA-2008:0008</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0009.html</url> | |
| <name>RHSA-2008:0009</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0261.html</url> | |
| <name>RHSA-2008:0261</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1019093</url> | |
| <name>1019093</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.595748</url> | |
| <name>SSA:2008-045-02</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-233623-1</url> | |
| <name>233623</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html</url> | |
| <name>SUSE-SA:2008:021</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-575-1</url> | |
| <name>USN-575-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/4201</url> | |
| <name>ADV-2007-4201</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/4202</url> | |
| <name>ADV-2007-4202</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/4301</url> | |
| <name>ADV-2007-4301</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0084</url> | |
| <name>ADV-2008-0084</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0178</url> | |
| <name>ADV-2008-0178</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0398</url> | |
| <name>ADV-2008-0398</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0809/references</url> | |
| <name>ADV-2008-0809</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0924/references</url> | |
| <name>ADV-2008-0924</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1224/references</url> | |
| <name>ADV-2008-1224</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1623/references</url> | |
| <name>ADV-2008-1623</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1697</url> | |
| <name>ADV-2008-1697</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1875/references</url> | |
| <name>ADV-2008-1875</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:1.3.33</software> | |
| <software>cpe:/a:apache:http_server:1.3.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:http_server:2.0.56</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.0.58</software> | |
| <software>cpe:/a:apache:http_server:2.0.59</software> | |
| <software>cpe:/a:apache:http_server:2.0.60</software> | |
| <software>cpe:/a:apache:http_server:2.0.61</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:apache:http_server:2.2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.3</software> | |
| <software>cpe:/a:apache:http_server:2.2.4</software> | |
| <software>cpe:/a:apache:http_server:2.2.5</software> | |
| <software>cpe:/a:apache:http_server:2.2.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-4723</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-287 Improper Authentication</cwe> | |
| <description>Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/478263/100/0/threaded</url> | |
| <name>20070831 Ragnarok Online Control Panel Authentication Bypass Vulnerability [new method]</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/3100</url> | |
| <name>3100</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:jasio.net:ragnarok_online_control_panel:4.3.4a</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-1349</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-399 Resource Management Errors</cwe> | |
| <description>PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/23192</url> | |
| <name>23192</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2007-293.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2007-293.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/repos/asf/perl/modperl/branches/1.x/Changes</url> | |
| <name>http://svn.apache.org/repos/asf/perl/modperl/branches/1.x/Changes</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200705-04.xml</url> | |
| <name>GLSA-200705-04</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2007:083</url> | |
| <name>MDKSA-2007:083</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.gossamer-threads.com/lists/modperl/modperl/92739</url> | |
| <name>http://www.gossamer-threads.com/lists/modperl/modperl/92739</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2007-0395.html</url> | |
| <name>RHSA-2007:0395</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2007-0396.html</url> | |
| <name>RHSA-2007:0396</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2007-0486.html</url> | |
| <name>RHSA-2007:0486</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0261.html</url> | |
| <name>RHSA-2008:0261</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0627.html</url> | |
| <name>RHSA-2008:0627</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2008-0630.html</url> | |
| <name>RHSA-2008:0630</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1018259</url> | |
| <name>1018259</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc</url> | |
| <name>20070602-01-P</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021508.1-1</url> | |
| <name>1021508</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-66-248386-1</url> | |
| <name>248386</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2007_8_sr.html</url> | |
| <name>SUSE-SR:2007:008</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2007_12_sr.html</url> | |
| <name>SUSE-SR:2007:012</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-488-1</url> | |
| <name>USN-488-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/1150</url> | |
| <name>ADV-2007-1150</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/33312</url> | |
| <name>modperl-pathinfo-dos(33312)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:apache_test:1.29</software> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:apache:mod_perl:2.0.0</software> | |
| <software>cpe:/a:apache:mod_perl:2.0.1</software> | |
| <software>cpe:/a:apache:mod_perl:2.0.2</software> | |
| <software>cpe:/a:apache:mod_perl:2.0.3</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-0450</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</cwe> | |
| <description>Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html</url> | |
| <name>APPLE-SA-2007-07-31</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/22960</url> | |
| <name>22960</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/25159</url> | |
| <name>25159</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/462791/100/0/threaded</url> | |
| <name>20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/485938/100/0/threaded</url> | |
| <name>20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/500396/100/0/threaded</url> | |
| <name>20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/500412/100/0/threaded</url> | |
| <name>20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx</url> | |
| <name>http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=306172</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=306172</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540</url> | |
| <name>http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-4.html</url> | |
| <name>http://tomcat.apache.org/security-4.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-5.html</url> | |
| <name>http://tomcat.apache.org/security-5.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://tomcat.apache.org/security-6.html</url> | |
| <name>http://tomcat.apache.org/security-6.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html</url> | |
| <name>http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200705-03.xml</url> | |
| <name>GLSA-200705-03</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795</url> | |
| <name>SSRT071447</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2007:241</url> | |
| <name>MDKSA-2007:241</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.sec-consult.com/287.html</url> | |
| <name>http://www.sec-consult.com/287.html</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt</url> | |
| <name>http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://lists.vmware.com/pipermail/security-announce/2008/000003.html</url> | |
| <name>[Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2007-0327.html</url> | |
| <name>RHSA-2007:0327</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2007-0360.html</url> | |
| <name>RHSA-2007:0360</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2008-0261.html</url> | |
| <name>RHSA-2008:0261</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/2446</url> | |
| <name>2446</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1</url> | |
| <name>239312</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2007_5_sr.html</url> | |
| <name>SUSE-SR:2007:005</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2007_15_sr.html</url> | |
| <name>SUSE-SR:2007:015</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/0975</url> | |
| <name>ADV-2007-0975</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/2732</url> | |
| <name>ADV-2007-2732</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/3087</url> | |
| <name>ADV-2007-3087</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2007/3386</url> | |
| <name>ADV-2007-3386</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0065</url> | |
| <name>ADV-2008-0065</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1979/references</url> | |
| <name>ADV-2008-1979</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2009/0233</url> | |
| <name>ADV-2009-0233</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/32988</url> | |
| <name>tomcat-proxy-directory-traversal(32988)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:::win32</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.0.19</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.0.28</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.0</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.1</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.2</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.3</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.4</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.5</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.6</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.7</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.8</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.9</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.10</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.11</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.12</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.13</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.14</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.15</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.16</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.17</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.18</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.19</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.20</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.21</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:5.5.22</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:tomcat:6.0.9</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2007-0086</name> | |
| <cvssScore>7.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/455833/100/0/threaded</url> | |
| <name>20070103 a cheesy Apache / IIS DoS vuln (+a question)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/455879/100/0/threaded</url> | |
| <name>20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/455882/100/0/threaded</url> | |
| <name>20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/455920/100/0/threaded</url> | |
| <name>20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2006-3918</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631</url> | |
| <name>PK24631</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/docview.wss?uid=swg24013080</url> | |
| <name>PK27875</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/19661</url> | |
| <name>19661</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html</url> | |
| <name>20060508 Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html</url> | |
| <name>20060724 Write-up by Amit Klein: "Forging HTTP request headers with Flash"</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html</url> | |
| <name>http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2006-194.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://svn.apache.org/viewvc?view=rev&revision=394965</url> | |
| <name>http://svn.apache.org/viewvc?view=rev&revision=394965</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html</url> | |
| <name>http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117</url> | |
| <name>http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2006/dsa-1167</url> | |
| <name>DSA-1167</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=125631037611762&w=2</url> | |
| <name>SSRT090192</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=129190899612998&w=2</url> | |
| <name>SSRT100345</name> | |
| </reference> | |
| <reference> | |
| <source>OPENBSD</source> | |
| <url>http://openbsd.org/errata.html#httpd2</url> | |
| <name>[3.9] 012: SECURITY FIX: October 7, 2006</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2006-0618.html</url> | |
| <name>RHSA-2006:0618</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2006-0619.html</url> | |
| <name>RHSA-2006:0619</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2006-0692.html</url> | |
| <name>RHSA-2006:0692</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1016569</url> | |
| <name>1016569</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/id?1024144</url> | |
| <name>1024144</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P</url> | |
| <name>20060801-01-P</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/1294</url> | |
| <name>1294</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2006_51_apache.html</url> | |
| <name>SUSE-SA:2006:051</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html</url> | |
| <name>SUSE-SA:2008:021</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/usn-575-1</url> | |
| <name>USN-575-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/2963</url> | |
| <name>ADV-2006-2963</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/2964</url> | |
| <name>ADV-2006-2964</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/3264</url> | |
| <name>ADV-2006-3264</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/4207</url> | |
| <name>ADV-2006-4207</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/5089</url> | |
| <name>ADV-2006-5089</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2010/1572</url> | |
| <name>ADV-2010-1572</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.11::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.12::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.57</software> | |
| <software>cpe:/a:apache:http_server:2.2</software> | |
| <software>cpe:/a:apache:http_server:2.2.1</software> | |
| <software>cpe:/a:ibm:http_server:6.0</software> | |
| <software>cpe:/a:ibm:http_server:6.1</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2005-3352</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/search.wss?rs=0&q=PK16139&apar=only</url> | |
| <name>PK16139</name> | |
| </reference> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/search.wss?rs=0&q=PK25355&apar=only</url> | |
| <name>PK25355</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html</url> | |
| <name>APPLE-SA-2008-03-18</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2008//May/msg00001.html</url> | |
| <name>APPLE-SA-2008-05-28</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/15834</url> | |
| <name>15834</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.us-cert.gov/cas/techalerts/TA08-150A.html</url> | |
| <name>TA08-150A</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=307562</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=307562</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://issues.apache.org/bugzilla/show_bug.cgi?id=37874</url> | |
| <name>http://issues.apache.org/bugzilla/show_bug.cgi?id=37874</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2006/dsa-1167</url> | |
| <name>DSA-1167</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00060.html</url> | |
| <name>FEDORA-2006-052</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/425399/100/0/threaded</url> | |
| <name>FLSA-2006:175406</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://www.gentoo.org/security/en/glsa/glsa-200602-03.xml</url> | |
| <name>GLSA-200602-03</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01428449</url> | |
| <name>HPSBMA02328</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/450315/100/0/threaded</url> | |
| <name>HPSBUX02172</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/445206/100/0/threaded</url> | |
| <name>SSRT061202</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/450321/100/0/threaded</url> | |
| <name>SSRT061265</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRIVA</source> | |
| <url>http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:007</url> | |
| <name>MDKSA-2006:007</name> | |
| </reference> | |
| <reference> | |
| <source>OPENPKG</source> | |
| <url>http://www.openpkg.org/security/OpenPKG-SA-2005.029-apache.txt</url> | |
| <name>OpenPKG-SA-2005.029</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2006-0158.html</url> | |
| <name>RHSA-2006:0158</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2006-0159.html</url> | |
| <name>RHSA-2006:0159</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2006-0692.html</url> | |
| <name>RHSA-2006:0692</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1015344</url> | |
| <name>1015344</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U</url> | |
| <name>20060101-01-U</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.685483</url> | |
| <name>SSA:2006-129-01</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.470158</url> | |
| <name>SSA:2006-130-01</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1</url> | |
| <name>102662</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1</url> | |
| <name>102663</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2006_43_apache.html</url> | |
| <name>SUSE-SA:2006:043</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.suse.de/archive/suse-security-announce/2006-Feb/0008.html</url> | |
| <name>SUSE-SR:2006:004</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://lists.suse.com/archive/suse-security-announce/2007-May/0005.html</url> | |
| <name>SUSE-SR:2007:011</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2005/0074/</url> | |
| <name>TSLSA-2005-0074</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntulinux.org/usn/usn-241-1</url> | |
| <name>USN-241-1</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2005/2870</url> | |
| <name>ADV-2005-2870</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/2423</url> | |
| <name>ADV-2006-2423</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/3995</url> | |
| <name>ADV-2006-3995</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/4015</url> | |
| <name>ADV-2006-4015</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/4300</url> | |
| <name>ADV-2006-4300</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/4868</url> | |
| <name>ADV-2006-4868</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/0924/references</url> | |
| <name>ADV-2008-0924</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1246/references</url> | |
| <name>ADV-2008-1246</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2008/1697</url> | |
| <name>ADV-2008-1697</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.11::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.12::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.13::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::mac_os</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.15::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.16::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.17::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.18::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.19::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.20::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.22::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.23::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.24::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.25::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.26::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.30</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.32:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.34:beta:win32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:apache:http_server:2.0.50</software> | |
| <software>cpe:/a:apache:http_server:2.0.51</software> | |
| <software>cpe:/a:apache:http_server:2.0.52</software> | |
| <software>cpe:/a:apache:http_server:2.0.53</software> | |
| <software>cpe:/a:apache:http_server:2.0.54</software> | |
| <software>cpe:/a:apache:http_server:2.0.55</software> | |
| <software>cpe:/a:apache:mod_imap</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2005-1268</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/14366</url> | |
| <name>14366</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2005/dsa-805</url> | |
| <name>DSA-805</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/428138/100/0/threaded</url> | |
| <name>HPSBUX02074</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2005:129</url> | |
| <name>MDKSA-2005:129</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163013</url> | |
| <name>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163013</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2005-582.html</url> | |
| <name>RHSA-2005:582</name> | |
| </reference> | |
| <reference> | |
| <source>SREASON</source> | |
| <url>http://securityreason.com/securityalert/604</url> | |
| <name>604</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1</url> | |
| <name>102198</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2005_46_apache.html</url> | |
| <name>SUSE-SA:2005:046</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2005_18_sr.html</url> | |
| <name>SUSE-SR:2005:018</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html</url> | |
| <name>TSLSA-2005-0059</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/0789</url> | |
| <name>ADV-2006-0789</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-2343</name> | |
| <cvssScore>7.2</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>** DISPUTED ** Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive. NOTE: the vendor has disputed this issue, since the .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2004-02/0043.html</url> | |
| <name>20040131 BUG IN APACHE HTTPD SERVER (current version 2.0.47)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2004-02/0064.html</url> | |
| <name>20040202 Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2004-02/0120.html</url> | |
| <name>20040204 Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/15015</url> | |
| <name>apache-httpd-bypass-restriction(15015)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.47</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-1082</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2004/Dec/msg00000.html</url> | |
| <name>APPLE-SA-2004-12-02</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9571</url> | |
| <name>9571</name> | |
| </reference> | |
| <reference> | |
| <source>CIAC</source> | |
| <url>http://www.ciac.org/ciac/bulletins/p-049.shtml</url> | |
| <name>P-049</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/alerts/2004/Dec/1012414.html</url> | |
| <name>1012414</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/18347</url> | |
| <name>macos-moddigest-response-replay(18347)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apple:apache_mod_digest_apple</software> | |
| <software>cpe:/a:avaya:communication_manager:1.1</software> | |
| <software>cpe:/a:avaya:communication_manager:1.3.1</software> | |
| <software>cpe:/a:avaya:communication_manager:2.0</software> | |
| <software>cpe:/a:avaya:communication_manager:2.0.1</software> | |
| <software>cpe:/a:avaya:intuity_audix_lx</software> | |
| <software>cpe:/a:avaya:mn100</software> | |
| <software>cpe:/a:avaya:network_routing</software> | |
| <software>cpe:/a:hp:virtualvault:4.5</software> | |
| <software>cpe:/a:hp:virtualvault:4.6</software> | |
| <software>cpe:/a:hp:virtualvault:4.7</software> | |
| <software>cpe:/a:hp:webproxy:a.02.00</software> | |
| <software>cpe:/a:hp:webproxy:a.02.10</software> | |
| <software>cpe:/a:ibm:http_server:1.3.19</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-0942</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html</url> | |
| <name>APPLE-SA-2005-08-15</name> | |
| </reference> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html</url> | |
| <name>APPLE-SA-2005-08-17</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/028248.html</url> | |
| <name>20041101 DoS in Apache 2.0.52 ?</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01123</url> | |
| <name>HPSBUX01123</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=110384374213596&w=2</url> | |
| <name>SSRT4876</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:135</url> | |
| <name>MDKSA-2004:135</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-562.html</url> | |
| <name>RHSA-2004:562</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1</url> | |
| <name>102198</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0061/</url> | |
| <name>2004-0061</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/0789</url> | |
| <name>ADV-2006-0789</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/17930</url> | |
| <name>apache-http-get-dos(17930)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.52</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-0940</name> | |
| <cvssScore>6.9</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer</cwe> | |
| <description>Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/11471</url> | |
| <name>11471</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</url> | |
| <name>http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apacheweek.com/features/security-13</url> | |
| <name>http://www.apacheweek.com/features/security-13</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2004/dsa-594</url> | |
| <name>DSA-594</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:134</url> | |
| <name>MDKSA-2004:134</name> | |
| </reference> | |
| <reference> | |
| <source>OPENPKG</source> | |
| <url>http://marc.info/?l=bugtraq&m=109906660225051&w=2</url> | |
| <name>OpenPKG-SA-2004.047</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-600.html</url> | |
| <name>RHSA-2004:600</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2005-816.html</url> | |
| <name>RHSA-2005:816</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1011783</url> | |
| <name>1011783</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1</url> | |
| <name>102197</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/0789</url> | |
| <name>ADV-2006-0789</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/17785</url> | |
| <name>apache-modinclude-bo(17785)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:1.3.32</software> | |
| <software>cpe:/a:openpkg:openpkg:2.0</software> | |
| <software>cpe:/a:openpkg:openpkg:2.1</software> | |
| <software>cpe:/a:openpkg:openpkg:2.2</software> | |
| <software>cpe:/a:openpkg:openpkg:current</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-0488</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/10355</url> | |
| <name>10355</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108567431823750&w=2</url> | |
| <name>20040527 [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108619129727620&w=2</url> | |
| <name>20040601 TSSA-2004-008 - apache</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2004/dsa-532</url> | |
| <name>DSA-532</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>https://bugzilla.fedora.us/show_bug.cgi?id=1888</url> | |
| <name>FLSA:1888</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021610.html</url> | |
| <name>20040517 mod_ssl ssl_util_uuencode_binary potential problem</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200406-05.xml</url> | |
| <name>GLSA-200406-05</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=109181600614477&w=2</url> | |
| <name>SSRT4777</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=109215056218824&w=2</url> | |
| <name>SSRT4788</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:054</url> | |
| <name>MDKSA-2004:054</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:055</url> | |
| <name>MDKSA-2004:055</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2004-245.html</url> | |
| <name>RHSA-2004:245</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-342.html</url> | |
| <name>RHSA-2004:342</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-405.html</url> | |
| <name>RHSA-2004:405</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2005-816.html</url> | |
| <name>RHSA-2005:816</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20040605-01-U.asc</url> | |
| <name>20040605-01-U</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.net/errata/2004/0031/</url> | |
| <name>2004-0031</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/16214</url> | |
| <name>apache-modssl-uuencode-bo(16214)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:1.3.31</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:apache:http_server:2.0.49</software> | |
| <software>cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2</software> | |
| <software>cpe:/a:mod_ssl:mod_ssl:2.8.7</software> | |
| <software>cpe:/a:mod_ssl:mod_ssl:2.8.10</software> | |
| <software>cpe:/a:mod_ssl:mod_ssl:2.8.12</software> | |
| <software>cpe:/a:mod_ssl:mod_ssl:2.8.15</software> | |
| <software>cpe:/a:mod_ssl:mod_ssl:2.8.16</software> | |
| <software>cpe:/a:sgi:propack:2.4</software> | |
| <software>cpe:/a:tinysofa:tinysofa_enterprise_server:1.0</software> | |
| <software>cpe:/a:tinysofa:tinysofa_enterprise_server:1.0_u1</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-0263</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9599</url> | |
| <name>9599</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200402-01.xml</url> | |
| <name>GLSA-200402-01</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/15072</url> | |
| <name>php-virtualhost-info-disclosure(15072)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.9</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.28:beta</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| <software>cpe:/a:apache:http_server:2.0.48</software> | |
| <software>cpe:/a:ibm:http_server:1.3.19</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2004-0174</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://marc.info/?l=bugtraq&m=108369640424244&w=2</url> | |
| <name>APPLE-SA-2004-05-03</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9921</url> | |
| <name>9921</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=107973894328806&w=2</url> | |
| <name>20040319 [ANNOUNCE] Apache HTTP Server 2.0.49 Released (fwd)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108437852004207&w=2</url> | |
| <name>20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/132110</url> | |
| <name>VU#132110</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/CHANGES_1.3</url> | |
| <name>http://www.apache.org/dist/httpd/CHANGES_1.3</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200405-22.xml</url> | |
| <name>GLSA-200405-22</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=108731648532365&w=2</url> | |
| <name>SSRT4717</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:046</url> | |
| <name>MDKSA-2004:046</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-405.html</url> | |
| <name>RHSA-2004:405</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://www.securitytracker.com/alerts/2004/Mar/1009495.html</url> | |
| <name>1009495</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643</url> | |
| <name>SSA:2004-133</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1</url> | |
| <name>101555</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1</url> | |
| <name>57628</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://marc.info/?l=bugtraq&m=108066914830552&w=2</url> | |
| <name>2004-0017</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0027</url> | |
| <name>2004-0027</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/15540</url> | |
| <name>apache-socket-starvation-dos(15540)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.49</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0993</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9829</url> | |
| <name>9829</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108437852004207&w=2</url> | |
| <name>20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://issues.apache.org/bugzilla/show_bug.cgi?id=23850</url> | |
| <name>http://issues.apache.org/bugzilla/show_bug.cgi?id=23850</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apacheweek.com/features/security-13</url> | |
| <name>http://www.apacheweek.com/features/security-13</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200405-22.xml</url> | |
| <name>GLSA-200405-22</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046</url> | |
| <name>MDKSA-2004:046</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://marc.info/?l=apache-cvs&m=107869603013722</url> | |
| <name>[apache-cvs] 20040307 cvs commit: apache-1.3/src/modules/standard mod_access.c</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643</url> | |
| <name>SSA:2004-133</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1</url> | |
| <name>101555</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1</url> | |
| <name>101841</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1</url> | |
| <name>57628</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0027</url> | |
| <name>2004-0027</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/15422</url> | |
| <name>apache-modaccess-obtain-information(15422)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7::dev</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:1.3.29</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0987</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9571</url> | |
| <name>9571</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108437852004207&w=2</url> | |
| <name>20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html</url> | |
| <name>http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.mail-archive.com/dev@httpd.apache.org/msg19014.html</url> | |
| <name>http://www.mail-archive.com/dev@httpd.apache.org/msg19014.html</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200405-22.xml</url> | |
| <name>GLSA-200405-22</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2004:046</url> | |
| <name>MDKSA-2004:046</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-600.html</url> | |
| <name>RHSA-2004:600</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2005-816.html</url> | |
| <name>RHSA-2005:816</name> | |
| </reference> | |
| <reference> | |
| <source>SECTRACK</source> | |
| <url>http://securitytracker.com/id?1008920</url> | |
| <name>1008920</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643</url> | |
| <name>SSA:2004-133</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1</url> | |
| <name>101555</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1</url> | |
| <name>101841</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1</url> | |
| <name>57628</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0027</url> | |
| <name>2004-0027</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/15041</url> | |
| <name>apache-moddigest-response-replay(15041)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.30</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0789</name> | |
| <cvssScore>10.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2004/Jan/msg00000.html</url> | |
| <name>APPLE-SA-2004-01-26</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/8926</url> | |
| <name>8926</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9504</url> | |
| <name>9504</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=106761802305141&w=2</url> | |
| <name>20031031 GLSA: apache (200310-04)</name> | |
| </reference> | |
| <reference> | |
| <source>CIAC</source> | |
| <url>http://www.ciac.org/ciac/bulletins/o-015.shtml</url> | |
| <name>O-015</name> | |
| </reference> | |
| <reference> | |
| <source>CONECTIVA</source> | |
| <url>http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000775</url> | |
| <name>CLA-2003:775</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://apache.secsup.org/dist/httpd/Announcement2.html</url> | |
| <name>http://apache.secsup.org/dist/httpd/Announcement2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=61798</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=61798</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://lists.apple.com/mhonarc/security-announce/msg00045.html</url> | |
| <name>http://lists.apple.com/mhonarc/security-announce/msg00045.html</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200310-04.xml</url> | |
| <name>200310-04</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/advisories/6079</url> | |
| <name>HPSBUX0311-301</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:103</url> | |
| <name>MDKSA-2003:103</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-320.html</url> | |
| <name>RHSA-2003:320</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/13552</url> | |
| <name>apache-modcgi-info-disclosure(13552)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:2.0.48</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0542</name> | |
| <cvssScore>7.2</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer</cwe> | |
| <description>Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://lists.apple.com/archives/security-announce/2004/Jan/msg00000.html</url> | |
| <name>APPLE-SA-2004-01-26</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/8911</url> | |
| <name>8911</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9504</url> | |
| <name>9504</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/342674</url> | |
| <name>20031028 [OpenPKG-SA-2003.046] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=106761802305141&w=2</url> | |
| <name>20031031 GLSA: apache (200310-04)</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/434566</url> | |
| <name>VU#434566</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/549142</url> | |
| <name>VU#549142</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://docs.info.apple.com/article.html?artnum=61798</url> | |
| <name>http://docs.info.apple.com/article.html?artnum=61798</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/dist/httpd/Announcement2.html</url> | |
| <name>http://httpd.apache.org/dist/httpd/Announcement2.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://lists.apple.com/mhonarc/security-announce/msg00045.html</url> | |
| <name>http://lists.apple.com/mhonarc/security-announce/msg00045.html</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=130497311408250&w=2</url> | |
| <name>HPSBOV02683</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www.securityfocus.com/advisories/6079</url> | |
| <name>HPSBUX0311-301</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:103</url> | |
| <name>MDKSA-2003:103</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-320.html</url> | |
| <name>RHSA-2003:320</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-360.html</url> | |
| <name>RHSA-2003:360</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-405.html</url> | |
| <name>RHSA-2003:405</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2004-015.html</url> | |
| <name>RHSA-2004:015</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2005-816.html</url> | |
| <name>RHSA-2005:816</name> | |
| </reference> | |
| <reference> | |
| <source>SCO</source> | |
| <url>ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt</url> | |
| <name>SCOSA-2004.6</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20031203-01-U.asc</url> | |
| <name>20031203-01-U</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc</url> | |
| <name>20040202-01-U</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101444-1</url> | |
| <name>101444</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1</url> | |
| <name>101841</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/13400</url> | |
| <name>apache-modalias-modrewrite-bo(13400)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:http_server:1.3.28</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:apache:http_server:2.0.43</software> | |
| <software>cpe:/a:apache:http_server:2.0.44</software> | |
| <software>cpe:/a:apache:http_server:2.0.45</software> | |
| <software>cpe:/a:apache:http_server:2.0.46</software> | |
| <software>cpe:/a:apache:http_server:2.0.47</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0460</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service.</description> | |
| <references> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/694428</url> | |
| <name>VU#694428</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apache.org/dist/httpd/Announcement.html</url> | |
| <name>http://www.apache.org/dist/httpd/Announcement.html</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.27</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2003-0020</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.</description> | |
| <references> | |
| <reference> | |
| <source>APPLE</source> | |
| <url>http://marc.info/?l=bugtraq&m=108369640424244&w=2</url> | |
| <name>APPLE-SA-2004-05-03</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/9930</url> | |
| <name>9930</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=104612710031920&w=2</url> | |
| <name>20030224 Terminal Emulator Security Issues</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=108437852004207&w=2</url> | |
| <name>20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>GENTOO</source> | |
| <url>http://security.gentoo.org/glsa/glsa-200405-22.xml</url> | |
| <name>GLSA-200405-22</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=108731648532365&w=2</url> | |
| <name>SSRT4717</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:050</url> | |
| <name>MDKSA-2003:050</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://frontal2.mandriva.com/security/advisories?name=MDKSA-2004:046</url> | |
| <name>MDKSA-2004:046</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-082.html</url> | |
| <name>RHSA-2003:082</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-083.html</url> | |
| <name>RHSA-2003:083</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-104.html</url> | |
| <name>RHSA-2003:104</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-139.html</url> | |
| <name>RHSA-2003:139</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-243.html</url> | |
| <name>RHSA-2003:243</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-244.html</url> | |
| <name>RHSA-2003:244</name> | |
| </reference> | |
| <reference> | |
| <source>SLACKWARE</source> | |
| <url>http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.529643</url> | |
| <name>SSA:2004-133</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1</url> | |
| <name>101555</name> | |
| </reference> | |
| <reference> | |
| <source>SUNALERT</source> | |
| <url>http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1</url> | |
| <name>57628</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0017</url> | |
| <name>2004-0017</name> | |
| </reference> | |
| <reference> | |
| <source>TRUSTIX</source> | |
| <url>http://www.trustix.org/errata/2004/0027</url> | |
| <name>2004-0027</name> | |
| </reference> | |
| <reference> | |
| <source>VULNWATCH</source> | |
| <url>http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html</url> | |
| <name>20030224 Terminal Emulator Security Issues</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://www.iss.net/security_center/static/11412.php</url> | |
| <name>apache-esc-seq-injection(11412)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2002-2272</name> | |
| <cvssScore>7.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer</cwe> | |
| <description>Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/6320</url> | |
| <name>6320</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-12/0045.html</url> | |
| <name>20021204 Apache/Tomcat Denial Of Service And Information Leakage Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/10771</url> | |
| <name>tomcat-modjk-get-bo(10771)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.13</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.15</software> | |
| <software>cpe:/a:apache:http_server:1.3.16</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| <software>cpe:/a:apache:tomcat:4.0.0</software> | |
| <software>cpe:/a:apache:tomcat:4.0.1</software> | |
| <software>cpe:/a:apache:tomcat:4.0.2</software> | |
| <software>cpe:/a:apache:tomcat:4.0.3</software> | |
| <software>cpe:/a:apache:tomcat:4.0.4</software> | |
| <software>cpe:/a:apache:tomcat:4.0.5</software> | |
| <software>cpe:/a:apache:tomcat:4.0.6</software> | |
| <software>cpe:/a:apache:tomcat:4.1.0</software> | |
| <software>cpe:/a:apache:tomcat:4.1.1</software> | |
| <software>cpe:/a:apache:tomcat:4.1.2</software> | |
| <software>cpe:/a:apache:tomcat:4.1.3</software> | |
| <software>cpe:/a:apache:tomcat:4.1.3:beta</software> | |
| <software>cpe:/a:apache:tomcat:4.1.9:beta</software> | |
| <software>cpe:/a:apache:tomcat:4.1.10</software> | |
| <software>cpe:/a:apache:tomcat:4.1.12</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2002-1658</name> | |
| <cvssScore>4.6</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Buffer overflow in htdigest in Apache 1.3.26 and 1.3.27 may allow attackers to execute arbitrary code via a long user argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is executed from a CGI program. Therefore this may not be a vulnerability.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5993</url> | |
| <name>5993</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=103480856102007&w=2</url> | |
| <name>20021016 Apache 1.3.26</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>https://sardonix.org/audit/apache-45.html</url> | |
| <name>https://sardonix.org/audit/apache-45.html</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/10414</url> | |
| <name>apache-htdigest-bo(10414)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:1.3.27</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2002-0843</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.</description> | |
| <references> | |
| <reference> | |
| <source>AIXAPAR</source> | |
| <url>http://www-1.ibm.com/support/search.wss?rs=0&q=IY87070&apar=only</url> | |
| <name>IY87070</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5887</url> | |
| <name>5887</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5995</url> | |
| <name>5995</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5996</url> | |
| <name>5996</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=103376585508776&w=2</url> | |
| <name>20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-10/0229.html</url> | |
| <name>20021016 Apache 1.3.26</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html</url> | |
| <name>20021017 TSLSA-2002-0069-apache</name> | |
| </reference> | |
| <reference> | |
| <source>CONECTIVA</source> | |
| <url>http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530</url> | |
| <name>CLA-2002:530</name> | |
| </reference> | |
| <reference> | |
| <source>CONECTIVA</source> | |
| <url>http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000530</url> | |
| <name>CLSA-2002:530</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2</url> | |
| <name>http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apacheweek.com/issues/02-10-04</url> | |
| <name>http://www.apacheweek.com/issues/02-10-04</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2871</url> | |
| <name>http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2871</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-187</url> | |
| <name>DSA-187</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-188</url> | |
| <name>DSA-188</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-195</url> | |
| <name>DSA-195</name> | |
| </reference> | |
| <reference> | |
| <source>ENGARDE</source> | |
| <url>http://www.linuxsecurity.com/advisories/other_advisory-2414.html</url> | |
| <name>ESA-20021007-024</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://online.securityfocus.com/advisories/4617</url> | |
| <name>HPSBUX0210-224</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php</url> | |
| <name>MDKSA-2002:068</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20021105-01-I</url> | |
| <name>20021105-01-I</name> | |
| </reference> | |
| <reference> | |
| <source>VUPEN</source> | |
| <url>http://www.vupen.com/english/advisories/2006/3263</url> | |
| <name>ADV-2006-3263</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://www.iss.net/security_center/static/10281.php</url> | |
| <name>apache-apachebench-response-bo(10281)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2.1s</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2.2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2:r2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2.1</software> | |
| <software>cpe:/a:oracle:database_server:8.1.7</software> | |
| <software>cpe:/a:oracle:database_server:9.2.2</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7.0.0_enterprise</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7.1</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7.1.0_enterprise</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2002-0840</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vulnerability than CAN-2002-1157.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5847</url> | |
| <name>5847</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=103357160425708&w=2</url> | |
| <name>20021002 Apache 2 Cross-Site Scripting</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=103376585508776&w=2</url> | |
| <name>20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html</url> | |
| <name>20021017 TSLSA-2002-0069-apache</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/240329</url> | |
| <name>VU#240329</name> | |
| </reference> | |
| <reference> | |
| <source>CONECTIVA</source> | |
| <url>http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530</url> | |
| <name>CLA-2002:530</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2</url> | |
| <name>http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apacheweek.com/issues/02-10-04</url> | |
| <name>http://www.apacheweek.com/issues/02-10-04</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-187</url> | |
| <name>DSA-187</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-188</url> | |
| <name>DSA-188</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-195</url> | |
| <name>DSA-195</name> | |
| </reference> | |
| <reference> | |
| <source>ENGARDE</source> | |
| <url>http://www.linuxsecurity.com/advisories/other_advisory-2414.html</url> | |
| <name>ESA-20021007-024</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://online.securityfocus.com/advisories/4617</url> | |
| <name>HPSBUX0210-224</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php</url> | |
| <name>MDKSA-2002:068</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-222.html</url> | |
| <name>RHSA-2002:222</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-243.html</url> | |
| <name>RHSA-2002:243</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-244.html</url> | |
| <name>RHSA-2002:244</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-248.html</url> | |
| <name>RHSA-2002:248</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-251.html</url> | |
| <name>RHSA-2002:251</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-106.html</url> | |
| <name>RHSA-2003:106</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20021105-02-I</url> | |
| <name>20021105-02-I</name> | |
| </reference> | |
| <reference> | |
| <source>VULNWATCH</source> | |
| <url>http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0003.html</url> | |
| <name>20021002 Apache 2 Cross-Site Scripting</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/10241</url> | |
| <name>apache-http-host-xss(10241)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.25</software> | |
| <software>cpe:/a:apache:http_server:1.3.26</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| <software>cpe:/a:apache:http_server:2.0.37</software> | |
| <software>cpe:/a:apache:http_server:2.0.38</software> | |
| <software>cpe:/a:apache:http_server:2.0.39</software> | |
| <software>cpe:/a:apache:http_server:2.0.40</software> | |
| <software>cpe:/a:apache:http_server:2.0.41</software> | |
| <software>cpe:/a:apache:http_server:2.0.42</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2.1s</software> | |
| <software>cpe:/a:oracle:application_server:1.0.2.2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2:r2</software> | |
| <software>cpe:/a:oracle:application_server:9.0.2.1</software> | |
| <software>cpe:/a:oracle:database_server:8.1.7</software> | |
| <software>cpe:/a:oracle:database_server:9.2.1</software> | |
| <software>cpe:/a:oracle:database_server:9.2.2</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7.1</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7_.0.0_enterprise</software> | |
| <software>cpe:/a:oracle:oracle8i:8.1.7_.1.0_enterprise</software> | |
| <software>cpe:/a:oracle:oracle9i:9.0</software> | |
| <software>cpe:/a:oracle:oracle9i:9.0.1</software> | |
| <software>cpe:/a:oracle:oracle9i:9.0.1.2</software> | |
| <software>cpe:/a:oracle:oracle9i:9.0.1.3</software> | |
| <software>cpe:/a:oracle:oracle9i:9.0.2</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2002-0392</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/20005</url> | |
| <name>20005</name> | |
| </reference> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/5033</url> | |
| <name>5033</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html</url> | |
| <name>20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://online.securityfocus.com/archive/1/278149</url> | |
| <name>20020621 [SECURITY] Remote exploit for 32-bit Apache HTTP Server known</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html</url> | |
| <name>20020621 [slackware-security] new apache/mod_ssl packages available</name> | |
| </reference> | |
| <reference> | |
| <source>CALDERA</source> | |
| <url>ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt</url> | |
| <name>CSSA-2002-029.0</name> | |
| </reference> | |
| <reference> | |
| <source>CALDERA</source> | |
| <url>ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31</url> | |
| <name>CSSA-2002-SCO.31</name> | |
| </reference> | |
| <reference> | |
| <source>CALDERA</source> | |
| <url>ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32</url> | |
| <name>CSSA-2002-SCO.32</name> | |
| </reference> | |
| <reference> | |
| <source>CERT</source> | |
| <url>http://www.cert.org/advisories/CA-2002-17.html</url> | |
| <name>CA-2002-17</name> | |
| </reference> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/944335</url> | |
| <name>VU#944335</name> | |
| </reference> | |
| <reference> | |
| <source>CONECTIVA</source> | |
| <url>http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498</url> | |
| <name>CLSA-2002:498</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/info/security_bulletin_20020617.txt</url> | |
| <name>http://httpd.apache.org/info/security_bulletin_20020617.txt</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-131</url> | |
| <name>DSA-131</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-132</url> | |
| <name>DSA-132</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2002/dsa-133</url> | |
| <name>DSA-133</name> | |
| </reference> | |
| <reference> | |
| <source>ENGARDE</source> | |
| <url>http://www.linuxsecurity.com/advisories/other_advisory-2137.html</url> | |
| <name>ESA-20020619-014</name> | |
| </reference> | |
| <reference> | |
| <source>FRSIRT</source> | |
| <url>http://www.frsirt.com/english/advisories/2006/3598</url> | |
| <name>ADV-2006-3598</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://online.securityfocus.com/advisories/4240</url> | |
| <name>HPSBTL0206-049</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://online.securityfocus.com/advisories/4257</url> | |
| <name>HPSBUX0207-197</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000083816475</url> | |
| <name>SSRT050968</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:039</url> | |
| <name>MDKSA-2002:039</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2002-103.html</url> | |
| <name>RHSA-2002:103</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2002-117.html</url> | |
| <name>RHSA-2002:117</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2002-118.html</url> | |
| <name>RHSA-2002:118</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-126.html</url> | |
| <name>RHSA-2002:126</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2002-150.html</url> | |
| <name>RHSA-2002:150</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://www.redhat.com/support/errata/RHSA-2003-106.html</url> | |
| <name>RHSA-2003:106</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A</url> | |
| <name>20020605-01-A</name> | |
| </reference> | |
| <reference> | |
| <source>SGI</source> | |
| <url>ftp://patches.sgi.com/support/free/security/advisories/20020605-01-I</url> | |
| <name>20020605-01-I</name> | |
| </reference> | |
| <reference> | |
| <source>SUSE</source> | |
| <url>http://www.novell.com/linux/security/advisories/2002_22_apache.html</url> | |
| <name>SuSE-SA:2002:022</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://www.iss.net/security_center/static/9249.php</url> | |
| <name>apache-chunked-encoding-bo(9249)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.0</software> | |
| <software>cpe:/a:apache:http_server:1.0.2</software> | |
| <software>cpe:/a:apache:http_server:1.0.3</software> | |
| <software>cpe:/a:apache:http_server:1.0.5</software> | |
| <software>cpe:/a:apache:http_server:1.1</software> | |
| <software>cpe:/a:apache:http_server:1.1.1</software> | |
| <software>cpe:/a:apache:http_server:1.2</software> | |
| <software>cpe:/a:apache:http_server:1.2.5</software> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.11::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.12::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.13::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::mac_os</software> | |
| <software>cpe:/a:apache:http_server:1.3.14::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.15::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.16::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.17::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.18::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software>cpe:/a:apache:http_server:1.3.19::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.20</software> | |
| <software>cpe:/a:apache:http_server:1.3.20::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.22</software> | |
| <software>cpe:/a:apache:http_server:1.3.22::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.23</software> | |
| <software>cpe:/a:apache:http_server:1.3.23::win32</software> | |
| <software>cpe:/a:apache:http_server:1.3.24</software> | |
| <software>cpe:/a:apache:http_server:1.3.24::win32</software> | |
| <software>cpe:/a:apache:http_server:2.0</software> | |
| <software>cpe:/a:apache:http_server:2.0.28</software> | |
| <software>cpe:/a:apache:http_server:2.0.32</software> | |
| <software>cpe:/a:apache:http_server:2.0.35</software> | |
| <software>cpe:/a:apache:http_server:2.0.36</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2001-1556</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2001-10/0231.html</url> | |
| <name>20011024 Hidden requests to Apache</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/docs/logs.html</url> | |
| <name>http://httpd.apache.org/docs/logs.html</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://www.iss.net/security_center/static/7363.php</url> | |
| <name>apache-hidden-http-request(7363)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2001-1534</name> | |
| <cvssScore>2.1</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Low</severity> | |
| <description>mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/3521</url> | |
| <name>3521</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00084.html</url> | |
| <name>20011113 Brute-Forcing Web Application Session IDs</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://www.iss.net/security_center/static/7494.php</url> | |
| <name>apache-modusertrack-predicticable-sessionid(7494)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:apache:http_server:1.3.19</software> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.20</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2001-1449</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>The default installation of Apache before 1.3.19 on Mandrake Linux 7.1 through 8.0 and Linux Corporate Server 1.0.1 allows remote attackers to list the directory index of arbitrary web directories.</description> | |
| <references> | |
| <reference> | |
| <source>CERT-VN</source> | |
| <url>http://www.kb.cert.org/vuls/id/913704</url> | |
| <name>VU#913704</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.mandriva.com/security/advisories?name=MDKSA-2001:077-2</url> | |
| <name>MDKSA-2001:077</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/8029</url> | |
| <name>mandrake-apache-browse-directories(8029)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| <software>cpe:/a:apache:http_server:1.3.12</software> | |
| <software>cpe:/a:apache:http_server:1.3.14</software> | |
| <software>cpe:/a:apache:http_server:1.3.17</software> | |
| <software>cpe:/a:apache:http_server:1.3.18</software> | |
| <software>cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2001-0925</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/2503</url> | |
| <name>2503</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/168497</url> | |
| <name>20010312 FORW: [ANNOUNCE] Apache 1.3.19 Released</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/178066</url> | |
| <name>20010419 OpenBSD 2.8patched Apache vuln!</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/193081</url> | |
| <name>20010624 Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-27&end=2002-02-02&mid=199857&threads=1</url> | |
| <name>20010726 Apache Artificially Long Slash Path Directory Listing Vulnerabili ty -- FILE READ ACCESS</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.apacheweek.com/features/security-13</url> | |
| <name>http://www.apacheweek.com/features/security-13</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2001/dsa-067</url> | |
| <name>DSA-067</name> | |
| </reference> | |
| <reference> | |
| <source>ENGARDE</source> | |
| <url>http://www.linuxsecurity.com/advisories/other_advisory-1452.html</url> | |
| <name>ESA-20010620-02</name> | |
| </reference> | |
| <reference> | |
| <source>MANDRAKE</source> | |
| <url>http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077.php3</url> | |
| <name>MDKSA-2001:077</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/static/6921.php</url> | |
| <name>apache-slash-directory-listing(6921)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.19</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2001-0131</name> | |
| <cvssScore>1.2</cvssScore> | |
| <cvssAccessVector>LOCAL</cvssAccessVector> | |
| <cvssAccessComplexity>HIGH</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Low</severity> | |
| <description>htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/2182</url> | |
| <name>2182</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=97916374410647&w=2</url> | |
| <name>20010110 Immunix OS Security update for lots of temp file problems</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2001/dsa-021</url> | |
| <name>DSA-021</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/static/5926.php</url> | |
| <name>linux-apache-symlink(5926)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:immunix:immunix:7.0_beta</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2000-1205</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Cross site scripting vulnerabilities in Apache 1.3.0 through 1.3.11 allow remote attackers to execute script as other web site visitors via (1) the printenv CGI (printenv.pl), which does not encode its output, (2) pages generated by the ap_send_error_response function such as a default 404, which does not add an explicit charset, or (3) various messages that are generated by certain Apache modules or core code. NOTE: the printenv issue might still exist for web browsers that can render text/plain content types as HTML, such as Internet Explorer, but CVE regards this as a design limitation of those browsers, not Apache. The printenv.pl/acuparam vector, discloser on 20070724, is one such variant.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archives.neohapsis.com/archives/bugtraq/2002-12/0233.html</url> | |
| <name>20021222 'printenv' XSS vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://archive.cert.uni-stuttgart.de/bugtraq/2002/12/msg00243.html</url> | |
| <name>20021223 Re: 'printenv' XSS vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=118529436424127&w=2</url> | |
| <name>20070724 printenv.pl(all versions) cross site scripting Vulnerability</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://httpd.apache.org/info/css-security/apache_specific.html</url> | |
| <name>http://httpd.apache.org/info/css-security/apache_specific.html</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/35597</url> | |
| <name>apache-printenv-acuparam-xss(35597)</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/10938</url> | |
| <name>apache-printenv-xss(10938)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server:1.3.0</software> | |
| <software>cpe:/a:apache:http_server:1.3.1</software> | |
| <software>cpe:/a:apache:http_server:1.3.2</software> | |
| <software>cpe:/a:apache:http_server:1.3.3</software> | |
| <software>cpe:/a:apache:http_server:1.3.4</software> | |
| <software>cpe:/a:apache:http_server:1.3.5</software> | |
| <software>cpe:/a:apache:http_server:1.3.6</software> | |
| <software>cpe:/a:apache:http_server:1.3.7</software> | |
| <software>cpe:/a:apache:http_server:1.3.8</software> | |
| <software>cpe:/a:apache:http_server:1.3.9</software> | |
| <software>cpe:/a:apache:http_server:1.3.10</software> | |
| <software>cpe:/a:apache:http_server:1.3.11</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-1412</name> | |
| <cvssScore>10.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/306</url> | |
| <name>306</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/14215</url> | |
| <name>19990603 MacOS X system panic with CGI</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-1237</name> | |
| <cvssScore>10.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/14384</url> | |
| <name>19990606 Buffer overflows in smbval library</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/static/2272.php</url> | |
| <name>smbvalid-bo(2272)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-1199</name> | |
| <cvssScore>10.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Apache WWW server 1.3.1 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via a large number of MIME headers with the same name, aka the "sioux" vulnerability.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=90252779826784&w=2</url> | |
| <name>19980807 YA Apache DoS attack</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=90276683825862&w=2</url> | |
| <name>19980808 Debian Apache Security Update</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=90286768232093&w=2</url> | |
| <name>19980810 Apache DoS Attack</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://marc.info/?l=bugtraq&m=90280517007869&w=2</url> | |
| <name>19980811 Apache 'sioux' DOS fix for TurboLinux</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.redhat.com/support/errata/rh51-errata-general.html#apache</url> | |
| <name>http://www.redhat.com/support/errata/rh51-errata-general.html#apache</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:http_server:1.3.1</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-0678</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/318</url> | |
| <name>318</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-0289</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>NONE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.</description> | |
| <references> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-0236</name> | |
| <cvssScore>10.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>COMPLETE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>COMPLETE</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>COMPLETE</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.</description> | |
| <references> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:ncsa:servers</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-1999-0070</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>test-cgi program allows an attacker to list files on the server.</description> | |
| <references> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:http_server</software> | |
| <software>cpe:/a:ncsa:ncsa_web_server</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| </vulnerabilities> | |
| </dependency> | |
| <dependency> | |
| <fileName>jstl-1.0.2.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/jstl-1.0.2.jar</filePath> | |
| <md5>cf9e9b25d8eadd23b3c9ee94e5daa355</md5> | |
| <sha1>d494cf539682127ec637157b8529111ca365a67b</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>javax.servlet</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>javax</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>jsp</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>servlet</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>javax.servlet</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>jsp</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>servlet</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>javax.servlet</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.0.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>jstl</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.0.2</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.0.2</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(javax.servlet:jstl:1.0.2)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=javax/servlet/jstl/1.0.2/jstl-1.0.2.jar</url> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(jstl:jstl:1.0.2)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=jstl/jstl/1.0.2/jstl-1.0.2.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>oro-2.0.8.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/oro-2.0.8.jar</filePath> | |
| <md5>42e940d5d2d822f4dc04c65053e630ab</md5> | |
| <sha1>5592374f834645c4ae250f4c9fbb314c9369d698</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>text</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>manifest: org/apache/oro</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>text</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>manifest: org/apache/oro</source> | |
| <name>Implementation-Title</name> | |
| <value>org.apache.oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>manifest: org/apache/oro</source> | |
| <name>Specification-Title</name> | |
| <value>Jakarta ORO</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>2.0.8</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>oro</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>2.0.8</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>manifest: org/apache/oro</source> | |
| <name>Implementation-Version</name> | |
| <value>2.0.8 2003-12-28 11:00:13</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>2.0.8</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(oro:oro:2.0.8)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=oro/oro/2.0.8/oro-2.0.8.jar</url> | |
| </identifier> | |
| </identifiers> | |
| </dependency> | |
| <dependency> | |
| <fileName>standard-1.0.6.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/standard-1.0.6.jar</filePath> | |
| <md5>e56f6a326555b0192208464567b11c2c</md5> | |
| <sha1>72b2dab3d9723943f6f6839ef84ccc25a087e5fa</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>taglibs</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>taglibs</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>org.apache.taglibs.standard</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>taglibs</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>lang</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>jar</source> | |
| <name>package name</name> | |
| <value>taglibs</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>extension-name</name> | |
| <value>org.apache.taglibs.standard</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>jakarta-taglibs 'standard': an implementation of JSTL</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>JavaServer Pages Standard Tag Library (JSTL)</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>taglibs</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.0.6</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>standard</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.0.6</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.0.6</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.0.6</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="cpe" confidence="LOW"> | |
| <name>(cpe:/a:apache:standard_taglibs:1.0.6)</name> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(taglibs:standard:1.0.6)</name> | |
| <url>http://search.maven.org/remotecontent?filepath=taglibs/standard/1.0.6/standard-1.0.6.jar</url> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2015-0254</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <description>Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/72809</url> | |
| <name>72809</name> | |
| </reference> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534772/100/0/threaded</url> | |
| <name>20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html</url> | |
| <name>http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E</url> | |
| <name>[tomcat-taglibs-user] 20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1838.html</url> | |
| <name>RHSA-2016:1838</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1839.html</url> | |
| <name>RHSA-2016:1839</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1840.html</url> | |
| <name>RHSA-2016:1840</name> | |
| </reference> | |
| <reference> | |
| <source>REDHAT</source> | |
| <url>http://rhn.redhat.com/errata/RHSA-2016-1841.html</url> | |
| <name>RHSA-2016:1841</name> | |
| </reference> | |
| <reference> | |
| <source>UBUNTU</source> | |
| <url>http://www.ubuntu.com/usn/USN-2551-1</url> | |
| <name>USN-2551-1</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:standard_taglibs:1.2.1</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| </vulnerabilities> | |
| </dependency> | |
| <dependency> | |
| <fileName>struts-core-1.3.10.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-core-1.3.10.jar</filePath> | |
| <md5>798d08a393c94513e632f2a062a01b5f</md5> | |
| <sha1>0c0f68cd5e17487c16d266d1280e3e16bef5a848</sha1> | |
| <relatedDependencies> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-el-1.3.10.jar</filePath> | |
| <sha1>dcd9a743c6225e2330904cba1bf9b2516754dc13</sha1> | |
| <md5>7107eb55561254328434943850e4df41</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-el:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%22dcd9a743c6225e2330904cba1bf9b2516754dc13%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-extras-1.3.10.jar</filePath> | |
| <sha1>bbc4f2b320b7e2479f4fa42ff79006eb413e6c51</sha1> | |
| <md5>5e7998ebf2e6428162973554997044c3</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-extras:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%22bbc4f2b320b7e2479f4fa42ff79006eb413e6c51%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-faces-1.3.10.jar</filePath> | |
| <sha1>6fed60b15ec0e6c2f039fd98aabd7aaab3084e8c</sha1> | |
| <md5>f12c1416bf496ffd20895efc4b8b8a8e</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-faces:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%226fed60b15ec0e6c2f039fd98aabd7aaab3084e8c%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-mailreader-dao-1.3.10.jar</filePath> | |
| <sha1>d593c116ef0802f61603b722609cc28c81da4559</sha1> | |
| <md5>353c72e1f98a77780a2c232085908ab0</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-mailreader-dao:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%22d593c116ef0802f61603b722609cc28c81da4559%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-scripting-1.3.10.jar</filePath> | |
| <sha1>57ce5dca514ba7ccb83081bb839d293f1a0ba704</sha1> | |
| <md5>e6eb42432b0bae363dd74579b136c70d</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-scripting:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%2257ce5dca514ba7ccb83081bb839d293f1a0ba704%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| <relatedDependency> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-taglib-1.3.10.jar</filePath> | |
| <sha1>9ef247d8eb03a09a3b1c9d434f9f9acd45ba1c62</sha1> | |
| <md5>7bd34160241fde4a24021cb89351bdba</md5> | |
| <identifier type="maven"> | |
| <name>(org.apache.struts:struts-taglib:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%229ef247d8eb03a09a3b1c9d434f9f9acd45ba1c62%22</url> | |
| </identifier> | |
| </relatedDependency> | |
| </relatedDependencies> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Struts Core</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>struts-parent</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://struts.apache.org</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>Struts Core</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Struts Core</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>apache.struts</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Struts Core</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>struts-parent</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-core</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="cpe" confidence="HIGHEST"> | |
| <name>(cpe:/a:apache:struts:1.3.10)</name> | |
| <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Astruts%3A1.3.10</url> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(org.apache.struts:struts-core:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%220c0f68cd5e17487c16d266d1280e3e16bef5a848%22</url> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2016-1182</name> | |
| <cvssScore>6.4</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1343540</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1343540</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</url> | |
| <name>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://security-tracker.debian.org/tracker/CVE-2016-1182</url> | |
| <name>https://security-tracker.debian.org/tracker/CVE-2016-1182</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN65044642/index.html</url> | |
| <name>JVN#65044642</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097</url> | |
| <name>JVNDB-2016-000097</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2016-1181</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1343538</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1343538</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</url> | |
| <name>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://security-tracker.debian.org/tracker/CVE-2016-1181</url> | |
| <name>https://security-tracker.debian.org/tracker/CVE-2016-1181</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN03188560/index.html</url> | |
| <name>JVN#03188560</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2016-000096</url> | |
| <name>JVNDB-2016-000096</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| <software>cpe:/a:oracle:banking_platform:2.3.0</software> | |
| <software>cpe:/a:oracle:banking_platform:2.4.0</software> | |
| <software>cpe:/a:oracle:banking_platform:2.4.1</software> | |
| <software>cpe:/a:oracle:banking_platform:2.5.0</software> | |
| <software>cpe:/a:oracle:portal:11.1.1.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2015-0899</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.</description> | |
| <references> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN</url> | |
| <name>https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN86448949/index.html</url> | |
| <name>JVN#86448949</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042</url> | |
| <name>JVNDB-2015-000042</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0114</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</url> | |
| <name>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676303</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676303</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676375</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676375</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676931</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676931</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</url> | |
| <name>http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</url> | |
| <name>http://www.vmware.com/security/advisories/VMSA-2014-0012.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://access.redhat.com/solutions/869353</url> | |
| <name>https://access.redhat.com/solutions/869353</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1091938</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1091938</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1116665</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1116665</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://issues.apache.org/jira/browse/BEANUTILS-463</url> | |
| <name>https://issues.apache.org/jira/browse/BEANUTILS-463</name> | |
| </reference> | |
| <reference> | |
| <source>DEBIAN</source> | |
| <url>http://www.debian.org/security/2014/dsa-2940</url> | |
| <name>DSA-2940</name> | |
| </reference> | |
| <reference> | |
| <source>FEDORA</source> | |
| <url>http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html</url> | |
| <name>FEDORA-2014-9380</name> | |
| </reference> | |
| <reference> | |
| <source>FULLDISC</source> | |
| <url>http://seclists.org/fulldisclosure/2014/Dec/23</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=140119284401582&w=2</url> | |
| <name>HPSBGN03041</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=140801096002766&w=2</url> | |
| <name>HPSBMU03090</name> | |
| </reference> | |
| <reference> | |
| <source>HP</source> | |
| <url>http://marc.info/?l=bugtraq&m=141451023707502&w=2</url> | |
| <name>HPSBST03160</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://openwall.com/lists/oss-security/2014/06/15/10</url> | |
| <name>[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</name> | |
| </reference> | |
| <reference> | |
| <source>MLIST</source> | |
| <url>http://openwall.com/lists/oss-security/2014/07/08/1</url> | |
| <name>[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software allPreviousVersion="true">cpe:/a:apache:commons_beanutils:1.9.1</software> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2012-1007</name> | |
| <cvssScore>4.3</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</cwe> | |
| <description>Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.</description> | |
| <references> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt</url> | |
| <name>http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt</name> | |
| </reference> | |
| <reference> | |
| <source>MISC</source> | |
| <url>http://secpod.org/blog/?p=450</url> | |
| <name>http://secpod.org/blog/?p=450</name> | |
| </reference> | |
| <reference> | |
| <source>XF</source> | |
| <url>http://xforce.iss.net/xforce/xfdb/73052</url> | |
| <name>apache-struts-name-xss(73052)</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| </vulnerabilities> | |
| </dependency> | |
| <dependency> | |
| <fileName>struts-tiles-1.3.10.jar</fileName> | |
| <filePath>/Users/kotakanbe/Downloads/struts-1.3.10/lib/struts-tiles-1.3.10.jar</filePath> | |
| <md5>ccbd1663f2ba5bae4f264c6f416ef7dc</md5> | |
| <sha1>40693e3aa8a8586b8baa0317d0127597cad3d5ec</sha1> | |
| <evidenceCollected> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>Implementation-Vendor-Id</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>Manifest</source> | |
| <name>specification-vendor</name> | |
| <value>Apache Software Foundation</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Struts Tiles</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>struts-parent</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="vendor" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>url</name> | |
| <value>http://struts.apache.org</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>artifactid</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Title</name> | |
| <value>Struts Tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>Manifest</source> | |
| <name>specification-title</name> | |
| <value>Struts Tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>artifactid</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>groupid</name> | |
| <value>apache.struts</value> | |
| </evidence> | |
| <evidence type="product" confidence="HIGH"> | |
| <source>pom</source> | |
| <name>name</name> | |
| <value>Struts Tiles</value> | |
| </evidence> | |
| <evidence type="product" confidence="MEDIUM"> | |
| <source>pom</source> | |
| <name>parent-artifactid</name> | |
| <value>struts-parent</value> | |
| </evidence> | |
| <evidence type="product" confidence="LOW"> | |
| <source>pom</source> | |
| <name>parent-groupid</name> | |
| <value>org.apache.struts</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>central</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="MEDIUM"> | |
| <source>file</source> | |
| <name>name</name> | |
| <value>struts-tiles</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>file</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGH"> | |
| <source>Manifest</source> | |
| <name>Implementation-Version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| <evidence type="version" confidence="HIGHEST"> | |
| <source>pom</source> | |
| <name>version</name> | |
| <value>1.3.10</value> | |
| </evidence> | |
| </evidenceCollected> | |
| <identifiers> | |
| <identifier type="cpe" confidence="HIGHEST"> | |
| <name>(cpe:/a:apache:struts:1.3.10)</name> | |
| <url>https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Astruts%3A1.3.10</url> | |
| </identifier> | |
| <identifier type="cpe" confidence="LOW"> | |
| <name>(cpe:/a:apache:tiles:1.3.10)</name> | |
| </identifier> | |
| <identifier type="maven" confidence="HIGHEST"> | |
| <name>(org.apache.struts:struts-tiles:1.3.10)</name> | |
| <url>http://search.maven.org/#search|ga|1|1%3A%2240693e3aa8a8586b8baa0317d0127597cad3d5ec%22</url> | |
| </identifier> | |
| </identifiers> | |
| <vulnerabilities> | |
| <vulnerability> | |
| <name>CVE-2016-1182</name> | |
| <cvssScore>6.4</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1343540</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1343540</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</url> | |
| <name>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://security-tracker.debian.org/tracker/CVE-2016-1182</url> | |
| <name>https://security-tracker.debian.org/tracker/CVE-2016-1182</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN65044642/index.html</url> | |
| <name>JVN#65044642</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097</url> | |
| <name>JVNDB-2016-000097</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2016-1181</name> | |
| <cvssScore>6.8</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>MEDIUM</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <description>ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.</description> | |
| <references> | |
| <reference> | |
| <source>BID</source> | |
| <url>http://www.securityfocus.com/bid/91787</url> | |
| <name>91787</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</url> | |
| <name>http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://bugzilla.redhat.com/show_bug.cgi?id=1343538</url> | |
| <name>https://bugzilla.redhat.com/show_bug.cgi?id=1343538</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</url> | |
| <name>https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://security-tracker.debian.org/tracker/CVE-2016-1181</url> | |
| <name>https://security-tracker.debian.org/tracker/CVE-2016-1181</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN03188560/index.html</url> | |
| <name>JVN#03188560</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2016-000096</url> | |
| <name>JVNDB-2016-000096</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| <software>cpe:/a:oracle:banking_platform:2.3.0</software> | |
| <software>cpe:/a:oracle:banking_platform:2.4.0</software> | |
| <software>cpe:/a:oracle:banking_platform:2.4.1</software> | |
| <software>cpe:/a:oracle:banking_platform:2.5.0</software> | |
| <software>cpe:/a:oracle:portal:11.1.1.6</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2015-0899</name> | |
| <cvssScore>5.0</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>NONE</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>NONE</cvssAvailabilityImpact> | |
| <severity>Medium</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.</description> | |
| <references> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN</url> | |
| <name>https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN</name> | |
| </reference> | |
| <reference> | |
| <source>JVN</source> | |
| <url>http://jvn.jp/en/jp/JVN86448949/index.html</url> | |
| <name>JVN#86448949</name> | |
| </reference> | |
| <reference> | |
| <source>JVNDB</source> | |
| <url>http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042</url> | |
| <name>JVNDB-2015-000042</name> | |
| </reference> | |
| </references> | |
| <vulnerableSoftware> | |
| <software>cpe:/a:apache:struts:1.0</software> | |
| <software>cpe:/a:apache:struts:1.0.2</software> | |
| <software>cpe:/a:apache:struts:1.1</software> | |
| <software>cpe:/a:apache:struts:1.1:b1</software> | |
| <software>cpe:/a:apache:struts:1.1:b2</software> | |
| <software>cpe:/a:apache:struts:1.1:b3</software> | |
| <software>cpe:/a:apache:struts:1.1:rc1</software> | |
| <software>cpe:/a:apache:struts:1.1:rc2</software> | |
| <software>cpe:/a:apache:struts:1.2.2</software> | |
| <software>cpe:/a:apache:struts:1.2.4</software> | |
| <software>cpe:/a:apache:struts:1.2.6</software> | |
| <software>cpe:/a:apache:struts:1.2.7</software> | |
| <software>cpe:/a:apache:struts:1.2.8</software> | |
| <software>cpe:/a:apache:struts:1.2.9</software> | |
| <software>cpe:/a:apache:struts:1.3.5</software> | |
| <software>cpe:/a:apache:struts:1.3.8</software> | |
| <software>cpe:/a:apache:struts:1.3.10</software> | |
| </vulnerableSoftware> | |
| </vulnerability> | |
| <vulnerability> | |
| <name>CVE-2014-0114</name> | |
| <cvssScore>7.5</cvssScore> | |
| <cvssAccessVector>NETWORK</cvssAccessVector> | |
| <cvssAccessComplexity>LOW</cvssAccessComplexity> | |
| <cvssAuthenticationr>NONE</cvssAuthenticationr> | |
| <cvssConfidentialImpact>PARTIAL</cvssConfidentialImpact> | |
| <cvssIntegrityImpact>PARTIAL</cvssIntegrityImpact> | |
| <cvssAvailabilityImpact>PARTIAL</cvssAvailabilityImpact> | |
| <severity>High</severity> | |
| <cwe>CWE-20 Improper Input Validation</cwe> | |
| <description>Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.</description> | |
| <references> | |
| <reference> | |
| <source>BUGTRAQ</source> | |
| <url>http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded</url> | |
| <name>20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</url> | |
| <name>http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</url> | |
| <name>http://www-01.ibm.com/support/docview.wss?uid=swg21676091</name> | |
| </reference> | |
| <reference> | |
| <source>CONFIRM</source> | |
| <url>http://www-01.ibm.com/support/docview.wss?uid=swg21676303</url> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment