ID CVE-2011-1928
Summary The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:apr-util:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:apr-util:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:apr-util:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:apr-util:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 06-01-2018 - 02:29)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 706203
title CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment apr is earlier than 0:0.9.4-26.el4
          oval oval:com.redhat.rhsa:tst:20110844002
        • comment apr is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091204003
      • AND
        • comment apr-devel is earlier than 0:0.9.4-26.el4
          oval oval:com.redhat.rhsa:tst:20110844004
        • comment apr-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20091204005
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment apr is earlier than 0:1.2.7-11.el5_6.5
          oval oval:com.redhat.rhsa:tst:20110844007
        • comment apr is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091204012
      • AND
        • comment apr-devel is earlier than 0:1.2.7-11.el5_6.5
          oval oval:com.redhat.rhsa:tst:20110844009
        • comment apr-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091204014
      • AND
        • comment apr-docs is earlier than 0:1.2.7-11.el5_6.5
          oval oval:com.redhat.rhsa:tst:20110844011
        • comment apr-docs is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091204016
  • AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment apr is earlier than 0:1.3.9-3.el6_1.2
          oval oval:com.redhat.rhsa:tst:20110844017
        • comment apr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110507018
      • AND
        • comment apr-devel is earlier than 0:1.3.9-3.el6_1.2
          oval oval:com.redhat.rhsa:tst:20110844019
        • comment apr-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110507020
rhsa
id RHSA-2011:0844
released 2011-05-31
severity Low
title RHSA-2011:0844: apr security update (Low)
rpms
  • apr-0:0.9.4-26.el4
  • apr-devel-0:0.9.4-26.el4
  • apr-0:1.2.7-11.el5_6.5
  • apr-devel-0:1.2.7-11.el5_6.5
  • apr-docs-0:1.2.7-11.el5_6.5
  • apr-0:1.3.9-3.el6_1.2
  • apr-devel-0:1.3.9-3.el6_1.2
refmap via4
confirm
hp
  • HPSBOV02822
  • SSRT100966
mandriva MDVSA-2011:095
mlist
  • [httpd-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
  • [oss-security] 20110519 CVE request: DoS in apr due to CVE-2011-0419 fix
  • [oss-security] 20110519 Re: CVE request: DoS in apr due to CVE-2011-0419 fix
  • [www-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11
secunia
  • 44558
  • 44613
  • 44661
  • 44780
  • 48308
suse SUSE-SU-2011:1229
vupen
  • ADV-2011-1289
  • ADV-2011-1290
Last major update 06-01-2018 - 02:29
Published 24-05-2011 - 23:55
Back to Top