CVE-2012-0883

Apache HTTP Server <2.4.2 - Privilege Escalation

Title source: llm
STIX 2.1

Description

envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.

References (32)

Core 32
Core References
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=134012830914727&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53046
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48849
Broken Link, Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
Vendor Advisory x_refsource_confirm
http://www.apache.org/dist/httpd/Announcement2.4.html
Release Notes, Third Party Advisory x_refsource_confirm
http://www.apachelounge.com/Changelog-2.4.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026932
Vendor Advisory x_refsource_confirm
https://httpd.apache.org/security/vulnerabilities_24.html
Broken Link mailing-list x_refsource_mlist
http://article.gmane.org/gmane.comp.apache.devel/48158
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74901
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html
Broken Link, Third Party Advisory x_refsource_confirm
http://support.apple.com/kb/HT5880
Patch, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1296428

Scores

EPSS 0.0095
EPSS Percentile 57.2%

Details

Status published
Products (4)
apache/http_server 2.4.1
apache/http_server 2.2.0 - 2.2.23
opensuse/opensuse 11.4
opensuse/opensuse 12.1
Published Apr 18, 2012
Tracked Since Feb 18, 2026