ID CVE-2014-8567
Summary The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data.
References
Vulnerable Configurations
  • cpe:2.3:a:uninett:mod_auth_mellon:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:uninett:mod_auth_mellon:0.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:uninett:mod_auth_mellon:0.8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
CVSS
Base: 9.4 (as of 09-07-2019 - 12:29)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:C/A:C
redhat via4
advisories
bugzilla
id 1157954
title CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service
oval
AND
  • comment mod_auth_mellon is earlier than 0:0.8.0-3.el6_6
    oval oval:com.redhat.rhsa:tst:20141803005
  • comment mod_auth_mellon is signed with Red Hat redhatrelease2 key
    oval oval:com.redhat.rhsa:tst:20141803006
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
rhsa
id RHSA-2014:1803
released 2014-11-05
severity Important
title RHSA-2014:1803: mod_auth_mellon security update (Important)
rpms mod_auth_mellon-0:0.8.0-3.el6_6
refmap via4
confirm
mlist [modmellon] 20141103 Information disclosure vulnerability in version 0.8.0 of mod_auth_mellon
secunia
  • 62094
  • 62125
Last major update 09-07-2019 - 12:29
Published 14-11-2014 - 15:59
Back to Top