CVE-2010-0434

Apache HTTP Server 2.2.x < 2.2.15 - Exposure of Sensitive Information via Subrequest Header Handling

Title source: llm
STIX 2.1

Description

The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.

References (59)

Core 59
Core References
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1411
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/56625
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=570171
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0175.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39115
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2010-0014.html
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0911
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39628
Broken Link x_refsource_confirm
http://support.apple.com/kb/HT4435
Third Party Advisory vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=127557640302499&w=2
Third Party Advisory vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1PM15829
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39656
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/38494
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0168.html
Broken Link, Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39100
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39501
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://lists.vmware.com/pipermail/security-announce/2010/000105.html
Patch, Vendor Advisory x_refsource_confirm
http://httpd.apache.org/security/vulnerabilities_22.html
Patch, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=917867
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40096
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39632
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2035
Third Party Advisory vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1PM08939
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html
Patch, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=918427
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1001
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0994
Permissions Required vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1057

Scores

EPSS 0.1844
EPSS Percentile 96.9%

Details

CWE
CWE-200
Status published
Products (5)
apache/http_server 2.0.35 - 2.0.64
debian/debian_linux 5.0
debian/debian_linux 6.0
fedoraproject/fedora 11
fedoraproject/fedora 13
Published Mar 05, 2010
Tracked Since Feb 18, 2026