CVE-2014-8567 - The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache

CVE-2014-8567

Summary

The mod_auth_mellon module before 0.8.1 allows remote attackers to cause a denial of service (Apache HTTP server crash) via a crafted logout request that triggers a read of uninitialized data.

References

Vulnerable Configurations

cpe:2.3:a:uninett:mod_auth_mellon:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.5.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:-:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:-:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:rc1:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.0:rc1:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.6.1:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.7.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:uninett:mod_auth_mellon:0.8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

CVSS

Base:	9.4 (as of 09-07-2019 - 12:29)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:C/A:C

redhat via4

advisories

bugzilla

id	1157954
title	CVE-2014-8567 mod_auth_mellon: logout processing leads to denial of service

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003
comment mod_auth_mellon is earlier than 0:0.8.0-3.el6_6
oval oval:com.redhat.rhsa:tst:20141803001
comment mod_auth_mellon is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20141803002

rhsa

id	RHSA-2014:1803
released	2014-11-05
severity	Important
title	RHSA-2014:1803: mod_auth_mellon security update (Important)

rpms

mod_auth_mellon-0:0.8.0-3.el6_6
mod_auth_mellon-debuginfo-0:0.8.0-3.el6_6

refmap via4

confirm	http://linux.oracle.com/errata/ELSA-2014-1803.html https://github.com/UNINETT/mod_auth_mellon/commit/0f5b4fd860fa7e3a6c47201637aab05395f32647
mlist	[modmellon] 20141103 Information disclosure vulnerability in version 0.8.0 of mod_auth_mellon
secunia	62094 62125

Last major update

09-07-2019 - 12:29

Published

14-11-2014 - 15:59

Last modified

09-07-2019 - 12:29