CVE-2018-1302

MEDIUM

Apache HTTP Server < 2.4.30 - NULL Pointer Dereference in HTTP/2 Stream Handling

Title source: llm
STIX 2.1

Description

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

References (23)

Core 23
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180601-0004/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0367
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2018/03/24/5
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103528
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040567
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3783-1/
Vendor Advisory x_refsource_confirm
https://httpd.apache.org/security/vulnerabilities_24.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2019-09

Scores

CVSS v3 5.9
EPSS 0.1212
EPSS Percentile 93.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (6)
apache/http_server < 2.4.29
canonical/ubuntu_linux 18.04
netapp/clustered_data_ontap
netapp/santricity_cloud_connector
netapp/storage_automation_store
netapp/storagegrid
Published Mar 26, 2018
Tracked Since Feb 18, 2026