CVE-2013-6438

Apache HTTP Server < 2.4.8 - Denial of Service via mod_dav CDATA Parsing

Title source: llm
STIX 2.1

Description

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

References (48)

Core 48
Core References
Third Party Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2013-6438
Third Party Advisory x_refsource_confirm
https://support.apple.com/HT204659
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT6535
Vendor Advisory x_refsource_confirm
https://httpd.apache.org/security/vulnerabilities_24.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59315
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/58230
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0135.html
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
Third Party Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201408-12.xml
Third Party Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21676092
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60536
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/66303
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141017844705317&w=2
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/534161/100/0/threaded
Issue Tracking, Mailing List, Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=141390017113542&w=2
Broken Link vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
Not Applicable third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59345
Broken Link, Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Dec/23
Third Party Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21676091
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2152-1
Vendor Advisory x_refsource_confirm
http://www.apache.org/dist/httpd/CHANGES_2.4.9
Third Party Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21669554

Scores

EPSS 0.3956
EPSS Percentile 97.4%

Details

Status published
Products (9)
apache/http_server 2.2.0 - 2.2.27
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
canonical/ubuntu_linux 13.10
oracle/http_server 10.1.3.5.0
oracle/http_server 11.1.1.7.0
oracle/http_server 12.1.2.0
oracle/http_server 12.1.3.0
Published Mar 18, 2014
Tracked Since Feb 18, 2026