ID CVE-2004-0809
Summary The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.1:*:*:*:*:*:*:*
  • cpe:2.3:o:hp:hp-ux:11.11:*:*:*:*:*:*:*
    cpe:2.3:o:hp:hp-ux:11.11:*:*:*:*:*:*:*
  • cpe:2.3:o:trustix:secure_linux:2.0:*:*:*:*:*:*:*
    cpe:2.3:o:trustix:secure_linux:2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:3.0:*:workstation_server:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:3.0:*:workstation_server:*:*:*:*:*
  • cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.0_a:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.0_a:*:*:*:*:*:*:*
  • cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:*:amd64:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*
    cpe:2.3:o:hp:hp-ux:11.00:*:*:*:*:*:*:*
  • cpe:2.3:o:hp:hp-ux:11.23:*:ia64_64-bit:*:*:*:*:*
    cpe:2.3:o:hp:hp-ux:11.23:*:ia64_64-bit:*:*:*:*:*
  • cpe:2.3:o:hp:hp-ux:11.22:*:*:*:*:*:*:*
    cpe:2.3:o:hp:hp-ux:11.22:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.1:*:*:*:*:*:*:*
  • cpe:2.3:o:turbolinux:turbolinux_home:*:*:*:*:*:*:*:*
    cpe:2.3:o:turbolinux:turbolinux_home:*:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:3.0:*:enterprise_server:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:3.0:*:enterprise_server:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_f:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_f:*:*:*:*:*:*:*
  • cpe:2.3:o:gentoo:linux:1.4:*:*:*:*:*:*:*
    cpe:2.3:o:gentoo:linux:1.4:*:*:*:*:*:*:*
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:trustix:secure_linux:2.1:*:*:*:*:*:*:*
    cpe:2.3:o:trustix:secure_linux:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.1_a:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.1_a:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_g:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_g:*:*:*:*:*:*:*
  • cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.2:*:*:*:*:*:*:*
  • cpe:2.3:o:turbolinux:turbolinux_server:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:turbolinux:turbolinux_server:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:turbolinux:turbolinux_desktop:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:turbolinux:turbolinux_desktop:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:3.0:*:advanced_server:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:3.0:*:advanced_server:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:3.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:3.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 23-09-2022 - 15:13)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
accepted 2013-04-29T04:20:28.229-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
family unix
id oval:org.mitre.oval:def:9588
status accepted
submitted 2010-07-09T03:56:16-04:00
title The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
version 29
redhat via4
advisories
rhsa
id RHSA-2004:463
rpms
  • httpd-0:2.0.46-40.ent
  • httpd-debuginfo-0:2.0.46-40.ent
  • httpd-devel-0:2.0.46-40.ent
  • mod_ssl-1:2.0.46-40.ent
refmap via4
confirm http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/fs/lock.c?r1=1.32&r2=1.33
debian DSA-558
gentoo GLSA-200409-21
mandrake MDKSA-2004:096
mlist
  • [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
trustix 2004-0047
xf apache-moddav-lock-dos(17366)
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.51: http://httpd.apache.org/security/vulnerabilities_20.html
Last major update 23-09-2022 - 15:13
Published 16-09-2004 - 04:00
Last modified 23-09-2022 - 15:13
Back to Top