ID CVE-2003-0189
Summary The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when a threaded MPM is used.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.0.40
    cpe:2.3:a:apache:http_server:2.0.40
  • Apache Software Foundation Apache HTTP Server 2.0.41
    cpe:2.3:a:apache:http_server:2.0.41
  • Apache Software Foundation Apache HTTP Server 2.0.42
    cpe:2.3:a:apache:http_server:2.0.42
  • Apache Software Foundation Apache HTTP Server 2.0.43
    cpe:2.3:a:apache:http_server:2.0.43
  • Apache Software Foundation Apache HTTP Server 2.0.44
    cpe:2.3:a:apache:http_server:2.0.44
  • Apache Software Foundation Apache HTTP Server 2.0.45
    cpe:2.3:a:apache:http_server:2.0.45
CVSS
Base: 5.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Web Servers
    NASL id APACHE_2_0_46.NASL
    description The remote host appears to be running a version of Apache 2.0.x that is prior to 2.0.46. It is, therefore, affected by multiple denial of service vulnerabilities : - There is a denial of service vulnerability that may allow an attacker to disable basic authentication on this host. - There is a denial of service vulnerability in the mod_dav module that may allow an attacker to crash this service remotely.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 11665
    published 2003-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11665
    title Apache 2.0.x < 2.0.46 Multiple DoS
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2003-063.NASL
    description Two vulnerabilities were discovered in the Apache web server that affect all 2.x versions prior to 2.0.46. The first, discovered by John Hughes, is a build system problem that allows remote attackers to prevent access to authenticated content when a threaded server is used. This only affects versions of Apache compiled with threaded server 'httpd.worker', which is not the default for Mandrake Linux. The second vulnerability, discovered by iDefense, allows remote attackers to cause a DoS (Denial of Service) condition and may also allow the execution of arbitrary code. The provided packages include back-ported fixes to correct these vulnerabilities and MandrakeSoft encourages all users to upgrade immediately. Update : The previous update mistakenly listed apache-conf packages which were never included, nor intended to be included, as part of the update.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14046
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14046
    title Mandrake Linux Security Advisory : apache2 (MDKSA-2003:063-1)
redhat via4
advisories
rhsa
id RHSA-2003:186
refmap via4
bid 7725
bugtraq 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released
cert-vn VU#479268
conectiva CLA-2003:661
confirm http://www.apache.org/dist/httpd/Announcement2.html
secunia 8881
xf apache-aprpasswordvalidate-dos(12091)
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.46: http://httpd.apache.org/security/vulnerabilities_20.html
Last major update 17-10-2016 - 22:30
Published 09-06-2003 - 00:00
Last modified 10-07-2017 - 21:29
Back to Top