Vulnerability CVE-2009-1191


Published: 2009-04-23   Modified: 2012-02-13

Description:
mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

Type:

CWE-20

(Improper Input Validation)

Vendor: Apache
Product: Apache http server 
Version: 2.2.11;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/bid/34663
http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=767089
https://issues.apache.org/bugzilla/show_bug.cgi?id=46949
http://xforce.iss.net/xforce/xfdb/50059
http://www.vupen.com/english/advisories/2009/3184
http://www.vupen.com/english/advisories/2009/1147
http://www.ubuntu.com/usn/usn-787-1
http://www.securitytracker.com/id?1022264
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:102
http://support.apple.com/kb/HT3937
http://security.gentoo.org/glsa/glsa-200907-04.xml
http://secunia.com/advisories/35721
http://secunia.com/advisories/35395
http://secunia.com/advisories/34827
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8261
http://osvdb.org/53921
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Related CVE
CVE-2019-12421
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to...
CVE-2019-10080
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the v...
CVE-2019-10083
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which...
CVE-2019-12422
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2019-10070
Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored Cross-Site Scripting in the search functionality
CVE-2019-12419
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is...
CVE-2019-12410
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby ...
CVE-2019-12408
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized...

Copyright 2019, cxsecurity.com

 

Back to Top