CVE-2007-1862 - The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of he

CVE-2007-1862

Summary

The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bid	24553
confirm	http://bugs.gentoo.org/show_bug.cgi?id=186219 http://httpd.apache.org/security/vulnerabilities_22.html http://issues.apache.org/bugzilla/show_bug.cgi?id=41551 http://people.apache.org/~covener/2.2.x-mod_memcache-poolmgmt.diff http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
fedora	FEDORA-2007-2214
gentoo	GLSA-200711-06
mandriva	MDKSA-2007:127 MDVSA-2013:150
mlist	[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
osvdb	38641
secunia	26273 26842 27563
vupen	ADV-2007-2231 ADV-2007-2727

statements via4

contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.2.6. http://httpd.apache.org/security/vulnerabilities_22.html

contributor	Mark J Cox
lastmodified	2007-06-11
organization	Red Hat
statement	Not vulnerable. This issue was specific to httpd version 2.2.4 and did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

Last major update

06-06-2021 - 11:15

Published

04-06-2007 - 23:30

Last modified

06-06-2021 - 11:15