ID CVE-2007-1862
Summary The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 11-10-2013 - 02:33)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 24553
confirm
fedora FEDORA-2007-2214
gentoo GLSA-200711-06
mandriva
  • MDKSA-2007:127
  • MDVSA-2013:150
mlist
  • [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
osvdb 38641
secunia
  • 26273
  • 26842
  • 27563
vupen
  • ADV-2007-2231
  • ADV-2007-2727
statements via4
  • contributor Mark J Cox
    lastmodified 2008-07-02
    organization Apache
    statement Fixed in Apache HTTP Server 2.2.6. http://httpd.apache.org/security/vulnerabilities_22.html
  • contributor Mark J Cox
    lastmodified 2007-06-11
    organization Red Hat
    statement Not vulnerable. This issue was specific to httpd version 2.2.4 and did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.
Last major update 11-10-2013 - 02:33
Published 04-06-2007 - 23:30
Last modified 11-10-2013 - 02:33
Back to Top