ID CVE-2009-1902
Summary The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
References
Vulnerable Configurations
  • cpe:2.3:a:modsecurity:modsecurity:2.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:modsecurity:modsecurity:2.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:modsecurity:modsecurity:2.5.8:*:*:*:*:*:*:*
CVSS
Base: 7.8 (as of 29-09-2017 - 01:34)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:C
refmap via4
bid 34096
bugtraq 20090319 [ISecAuditors Security Advisories] ModSecurity < 2.5.9 remote Denial of Service
confirm http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846
exploit-db 8241
fedora
  • FEDORA-2009-2654
  • FEDORA-2009-2686
gentoo GLSA-200907-02
osvdb 52553
secunia
  • 34256
  • 34311
  • 35687
suse SUSE-SR:2009:011
vupen ADV-2009-0703
xf modsecurity-multipart-dos(49212)
Last major update 29-09-2017 - 01:34
Published 03-06-2009 - 17:00
Last modified 29-09-2017 - 01:34
Back to Top