CVE-2002-0839 - The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user runni

CVE-2002-0839

Summary

The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*

CVSS

Base:	7.2 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bid	5884
bugtraq	20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache) 20021015 GLSA: apache 20021017 TSLSA-2002-0069-apache
conectiva	CLA-2002:530
confirm	http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2 http://www.apacheweek.com/issues/02-10-04
debian	DSA-187 DSA-188 DSA-195
engarde	ESA-20021007-024
hp	HPSBOV02683 HPSBUX0210-224 SSRT090208
mandrake	MDKSA-2002:068
sgi	20021105-01-I
vulnwatch	20021003 iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities
xf	apache-scorecard-memory-overwrite(10280)

statements via4

contributor	Mark J Cox
lastmodified	2008-07-02
organization	Apache
statement	Fixed in Apache HTTP Server 1.3.27: http://httpd.apache.org/security/vulnerabilities_13.html

Last major update

06-06-2021 - 11:15

Published

11-10-2002 - 04:00

Last modified

06-06-2021 - 11:15