Vulnerability CVE-2009-1956

Vulnerability CVE-2009-1956

Published: 2009-06-07 Modified: 2012-02-13

Description:

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.

Type:

CWE-189

(Numeric Errors)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.4/10	4.9/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	None	Partial

Affected software
Apache -> Apr-util

References:

https://bugzilla.redhat.com/show_bug.cgi?id=504390

http://www.openwall.com/lists/oss-security/2009/06/06/1

http://svn.apache.org/viewvc?view=rev&revision=768417

https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html

https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html

https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html

http://www.vupen.com/english/advisories/2009/3184

http://www.vupen.com/english/advisories/2009/1907

http://www.ubuntu.com/usn/usn-787-1

http://www.ubuntu.com/usn/usn-786-1

http://www.securityfocus.com/bid/35251

http://www.redhat.com/support/errata/RHSA-2009-1108.html

http://www.redhat.com/support/errata/RHSA-2009-1107.html

http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

http://www.mandriva.com/security/advisories?name=MDVSA-2009:131

http://www.mail-archive.com/dev@apr.apache.org/msg21592.html

http://www.mail-archive.com/dev@apr.apache.org/msg21591.html

http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3

http://www-01.ibm.com/support/docview.wss?uid=swg27014463

http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478

http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241

http://www-01.ibm.com/support/docview.wss?uid=swg1PK88341

http://support.apple.com/kb/HT3937

http://security.gentoo.org/glsa/glsa-200907-03.xml

http://secunia.com/advisories/37221

http://secunia.com/advisories/35843

http://secunia.com/advisories/35797

http://secunia.com/advisories/35710

http://secunia.com/advisories/35565

http://secunia.com/advisories/35487

http://secunia.com/advisories/35395

http://secunia.com/advisories/35284

http://secunia.com/advisories/34724

http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:12237

http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11567

http://marc.info/?l=bugtraq&m=129190899612998&w=2

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

Vulnerability CVE-2009-1956

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.

CWE-189

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:P)

6.4/10

4.9/10

10/10

Remote

Low

No required

Partial

None

Partial

Affected software

References: