ID CVE-2003-0020
Summary Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
oval via4
  • accepted 2005-11-16T08:02:00.000-04:00
    class vulnerability
    contributors
    name Robert L. Hollis
    organization ThreatGuard, Inc.
    description Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
    family unix
    id oval:org.mitre.oval:def:100109
    status accepted
    submitted 2005-08-16T12:00:00.000-04:00
    title Apache Error Log Escape Sequence Filtering Vulnerability
    version 36
  • accepted 2010-09-20T04:00:13.693-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Jay Beale
      organization Bastille Linux
    • name Thomas R. Jones
      organization Maitreya Security
    • name Jonathan Baker
      organization The MITRE Corporation
    description Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
    family unix
    id oval:org.mitre.oval:def:150
    status accepted
    submitted 2003-08-17T12:00:00.000-04:00
    title Apache Terminal Escape Sequence Vulnerability
    version 41
  • accepted 2004-12-09T08:46:00.000-04:00
    class vulnerability
    contributors
    • name Brian Soby
      organization The MITRE Corporation
    • name Brian Soby
      organization The MITRE Corporation
    • name Brian Soby
      organization The MITRE Corporation
    description Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
    family unix
    id oval:org.mitre.oval:def:4114
    status accepted
    submitted 2004-10-14T01:14:00.000-04:00
    title Apache Error Log Escape Sequence Injection Vulnerability
    version 35
redhat via4
advisories
  • rhsa
    id RHSA-2003:082
  • rhsa
    id RHSA-2003:083
  • rhsa
    id RHSA-2003:104
  • rhsa
    id RHSA-2003:139
  • rhsa
    id RHSA-2003:243
  • rhsa
    id RHSA-2003:244
refmap via4
apple APPLE-SA-2004-05-03
bid 9930
bugtraq
  • 20030224 Terminal Emulator Security Issues
  • 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)
gentoo GLSA-200405-22
hp SSRT4717
mandrake
  • MDKSA-2003:050
  • MDKSA-2004:046
mlist
  • [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
slackware SSA:2004-133
sunalert
  • 101555
  • 57628
trustix
  • 2004-0017
  • 2004-0027
vulnwatch 20030224 Terminal Emulator Security Issues
xf apache-esc-seq-injection(11412)
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.49 and 1.3.31 http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 06-06-2021 - 11:15
Published 18-03-2003 - 05:00
Last modified 06-06-2021 - 11:15
Back to Top