ID CVE-2002-0392
Summary Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.13:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.13:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.14:*:mac_os:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.14:*:mac_os:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.14:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.14:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.15:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.15:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.16:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.16:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.17:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.17:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.18:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.18:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.19:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.19:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.20:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.20:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.22:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.22:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.23:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.23:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.24:*:win32:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.24:*:win32:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 08-03-2011 - 02:08)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2002:103
  • rhsa
    id RHSA-2002:117
  • rhsa
    id RHSA-2002:118
  • rhsa
    id RHSA-2002:126
  • rhsa
    id RHSA-2002:150
  • rhsa
    id RHSA-2003:106
refmap via4
bid
  • 20005
  • 5033
bugtraq
  • 20020617 Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server
  • 20020617 Re: Remote Compromise Vulnerability in Apache HTTP Server
  • 20020618 Fixed version of Apache 1.3 available
  • 20020619 Implications of Apache vuln for Oracle
  • 20020619 Remote Apache 1.3.x Exploit
  • 20020619 [OpenPKG-SA-2002.004] OpenPKG Security Advisory (apache)
  • 20020620 Apache Exploit
  • 20020620 TSLSA-2002-0056 - apache
  • 20020621 [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
  • 20020621 [slackware-security] new apache/mod_ssl packages available
  • 20020622 Ending a few arguments with one simple attachment.
  • 20020622 blowchunks - protecting existing apache servers until upgrades arrive
caldera
  • CSSA-2002-029.0
  • CSSA-2002-SCO.31
  • CSSA-2002-SCO.32
cert CA-2002-17
cert-vn VU#944335
compaq SSRT2253
conectiva CLSA-2002:498
confirm http://httpd.apache.org/info/security_bulletin_20020617.txt
debian
  • DSA-131
  • DSA-132
  • DSA-133
engarde ESA-20020619-014
frsirt ADV-2006-3598
hp
  • HPSBMA02149
  • HPSBTL0206-049
  • HPSBUX0207-197
  • SSRT050968
iss 20020617 Remote Compromise Vulnerability in Apache HTTP Server
mandrake MDKSA-2002:039
mlist
  • [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
osvdb 838
secunia 21917
sgi
  • 20020605-01-A
  • 20020605-01-I
suse SuSE-SA:2002:022
vulnwatch 20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding
xf apache-chunked-encoding-bo(9249)
saint via4
bid 5033
description Apache chunked encoding buffer overflow
id web_server_apache_version
osvdb 838
title apache_chunk_size
type remote
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.37 and 1.3.26: http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 08-03-2011 - 02:08
Published 03-07-2002 - 04:00
Last modified 08-03-2011 - 02:08
Back to Top