Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2687

Overview

Vulnerability Score 2.6 2.6
CVE Id CVE-2012-2687
Last Modified 05 Dec 2013 12:14:16
Published 22 Aug 2012 03:55:01
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2012-2687

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

Vulnerable Systems

Application

  • Apache Http Server 2.2.0

  • Apache Http Server 2.2.1

  • Apache Http Server 2.2.10

  • Apache Http Server 2.2.11

  • Apache Http Server 2.2.12

  • Apache Http Server 2.2.13

  • Apache Http Server 2.2.14

  • Apache Http Server 2.2.15

  • Apache Http Server 2.2.16

  • Apache Http Server 2.2.17

  • Apache Http Server 2.2.18

  • Apache Http Server 2.2.19

  • Apache Http Server 2.2.2

  • Apache Http Server 2.2.20

  • Apache Http Server 2.2.21

  • Apache Http Server 2.2.22

  • Apache Http Server 2.2.23

  • Apache Http Server 2.2.3

  • Apache Http Server 2.2.4

  • Apache Http Server 2.2.6

  • Apache Http Server 2.2.8

  • Apache Http Server 2.2.9

  • Apache Http Server 2.4.0

  • Apache Http Server 2.4.1

  • Apache Http Server 2.4.2


References

CONFIRM - http://www.apache.org/dist/httpd/CHANGES_2.4.3

MLIST - [announce] 20120821 [ANNOUNCEMENT] Apache HTTP Server 2.4.3 Released

CONFIRM - http://httpd.apache.org/security/vulnerabilities_24.html

UBUNTU - USN-1627-1

SECUNIA - 51607

REDHAT - RHSA-2012:1594

REDHAT - RHSA-2012:1592

REDHAT - RHSA-2012:1591

REDHAT - RHSA-2013:0130

SUSE - openSUSE-SU-2013:0248

SUSE - openSUSE-SU-2013:0245

SUSE - openSUSE-SU-2013:0243

BID - 55131

CONFIRM - http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

AIXAPAR - SE53614

SECUNIA - 50894

CONFIRM - http://support.apple.com/kb/HT5880

APPLE - APPLE-SA-2013-09-12-1

Related Patches

SUN120543-30 Solaris 10 SPARC: Apache 2 Patch (Rev 2)

SUN120544-30 Solaris 10 x86: Apache 2 Patch (Rev 2)

Red Hat 2013:0130-01 RHSA Low: httpd security, bug fix, and enhancement update for RHEL 5 x86

Novell SUSE 2013:7409 apache2 security update for SLES 11 SP2 i586

Novell SUSE 2013:7409 apache2 security update for SLES 11 SP2 x86_64

Novell SUSE 2013:8443 apache2 security update for SLES 10 SP4 i586

Novell SUSE 2013:8443 apache2 security update for SLES 10 SP4 x86_64


Last Updated: 27 May 2016 11:02:58