Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1928

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-1928
Last Modified 29 Oct 2012 11:53:23
Published 24 May 2011 07:55:03
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-1928

Summary

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

Vulnerable Systems

Application

  • Apache Apr-util 1.4.3

  • Apache Apr-util 1.4.4

  • Apache Http Server 2.2.18


References

MLIST - [www-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11

MLIST - [httpd-announce] 20110519 Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11

CONFIRM - https://issues.apache.org/bugzilla/show_bug.cgi?id=51219

VUPEN - ADV-2011-1290

VUPEN - ADV-2011-1289

REDHAT - RHSA-2011:0844

MANDRIVA - MDVSA-2011:095

SECUNIA - 44780

SECUNIA - 44661

SECUNIA - 44613

SECUNIA - 44558

MLIST - [oss-security] 20110519 CVE request: DoS in apr due to CVE-2011-0419 fix

MLIST - [oss-security] 20110519 Re: CVE request: DoS in apr due to CVE-2011-0419 fix

CONFIRM - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182

SUSE - SUSE-SU-2011:1229

HP - HPSBOV02822

HP - SSRT100966

Related Patches

Novell SUSE 2011:7610 libapr1 security update for SLE 10 SP4 i586


Last Updated: 27 May 2016 10:56:26