ID |
CVE-2011-1928
|
Summary |
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419. |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:apache:apr-util:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:apr-util:1.4.3:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:apr-util:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:apr-util:1.4.4:*:*:*:*:*:*:*
-
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
|
CVSS |
Base: | 4.3 (as of 06-01-2018 - 02:29) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-399 |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
MEDIUM |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
NONE |
NONE |
PARTIAL |
|
cvss-vector
via4
|
AV:N/AC:M/Au:N/C:N/I:N/A:P
|
redhat
via4
|
advisories | bugzilla | id | 706203 | title | CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419 |
| oval | OR | AND | comment | Red Hat Enterprise Linux 4 is installed | oval | oval:com.redhat.rhba:tst:20070304001 |
OR | AND | comment | apr is earlier than 0:0.9.4-26.el4 | oval | oval:com.redhat.rhsa:tst:20110844002 |
comment | apr is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20091204003 |
|
AND | comment | apr-devel is earlier than 0:0.9.4-26.el4 | oval | oval:com.redhat.rhsa:tst:20110844004 |
comment | apr-devel is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20091204005 |
|
|
|
AND | comment | Red Hat Enterprise Linux 5 is installed | oval | oval:com.redhat.rhba:tst:20070331001 |
OR | AND | comment | apr is earlier than 0:1.2.7-11.el5_6.5 | oval | oval:com.redhat.rhsa:tst:20110844007 |
comment | apr is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20091204012 |
|
AND | comment | apr-devel is earlier than 0:1.2.7-11.el5_6.5 | oval | oval:com.redhat.rhsa:tst:20110844009 |
comment | apr-devel is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20091204014 |
|
AND | comment | apr-docs is earlier than 0:1.2.7-11.el5_6.5 | oval | oval:com.redhat.rhsa:tst:20110844011 |
comment | apr-docs is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20091204016 |
|
|
|
AND | OR | comment | Red Hat Enterprise Linux 6 Client is installed | oval | oval:com.redhat.rhba:tst:20111656001 |
comment | Red Hat Enterprise Linux 6 Server is installed | oval | oval:com.redhat.rhba:tst:20111656002 |
comment | Red Hat Enterprise Linux 6 Workstation is installed | oval | oval:com.redhat.rhba:tst:20111656003 |
comment | Red Hat Enterprise Linux 6 ComputeNode is installed | oval | oval:com.redhat.rhba:tst:20111656004 |
|
OR | AND | comment | apr is earlier than 0:1.3.9-3.el6_1.2 | oval | oval:com.redhat.rhsa:tst:20110844017 |
comment | apr is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhsa:tst:20110507018 |
|
AND | comment | apr-devel is earlier than 0:1.3.9-3.el6_1.2 | oval | oval:com.redhat.rhsa:tst:20110844019 |
comment | apr-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhsa:tst:20110507020 |
|
|
|
|
| rhsa | id | RHSA-2011:0844 | released | 2011-05-31 | severity | Low | title | RHSA-2011:0844: apr security update (Low) |
|
| rpms | - apr-0:0.9.4-26.el4
- apr-devel-0:0.9.4-26.el4
- apr-0:1.2.7-11.el5_6.5
- apr-devel-0:1.2.7-11.el5_6.5
- apr-docs-0:1.2.7-11.el5_6.5
- apr-0:1.3.9-3.el6_1.2
- apr-devel-0:1.3.9-3.el6_1.2
|
|
refmap
via4
|
confirm | | hp | | mandriva | MDVSA-2011:095 | mlist | - [httpd-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
- [oss-security] 20110519 CVE request: DoS in apr due to CVE-2011-0419 fix
- [oss-security] 20110519 Re: CVE request: DoS in apr due to CVE-2011-0419 fix
- [www-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
| secunia | - 44558
- 44613
- 44661
- 44780
- 48308
| suse | SUSE-SU-2011:1229 | vupen | - ADV-2011-1289
- ADV-2011-1290
|
|
Last major update |
06-01-2018 - 02:29 |
Published |
24-05-2011 - 23:55 |