CVE-2006-4154

Apache HTTP Server mod_tcl 1.0 - Remote Code Execution via Format String Specifiers

Title source: llm
STIX 2.1

Description

Format string vulnerability in the mod_tcl module 1.0 for Apache 2.x allows context-dependent attackers to execute arbitrary code via format string specifiers that are not properly handled in a set_var function call in (1) tcl_cmds.c and (2) tcl_core.c.

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/20527
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1017062
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22549
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/29536
Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=421
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4033
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200610-12.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/22458
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/29550
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/366020

Scores

EPSS 0.1597
EPSS Percentile 96.5%

Details

Status published
Products (40)
apache/http_server 2.0
apache/http_server 2.0.9
apache/http_server 2.0.28 (3 CPE variants)
apache/http_server 2.0.32 (2 CPE variants)
apache/http_server 2.0.34 beta
apache/http_server 2.0.35
apache/http_server 2.0.36
apache/http_server 2.0.37
apache/http_server 2.0.38
apache/http_server 2.0.39
... and 30 more
Published Oct 16, 2006
Tracked Since Feb 18, 2026