4.3

CVE-2011-0419

Exploit

EPSS 56.21%
Published 16.05.2011 17:55:02
Last modified 11.04.2025 00:51:21
Source cret@cert.org
Teams watchlist Login
Open Login

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Affected products Warnungen 0 Metrics 2 CWE 1 References 61

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Portable Runtime Version < 1.4.3

Apache ≫ HTTP Server Version >= 2.0.0 <= 2.0.65

Apache ≫ HTTP Server Version >= 2.2.0 <= 2.2.18

Apple ≫ macOS X Version10.6.0

Freebsd ≫ Freebsd

Google ≫ Android

Netbsd ≫ Netbsd Version5.1

Openbsd ≫ Openbsd Version4.8

Oracle ≫ Solaris Version10

Debian ≫ Debian Linux Version5.0

Debian ≫ Debian Linux Version6.0

Debian ≫ Debian Linux Version7.0

Suse ≫ Linux Enterprise Server Version10 Updatesp3 SwEdition-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	56.21%	0.98

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

VDB Entry

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Broken Link

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

Third Party Advisory

https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html

Third Party Advisory

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

http://httpd.apache.org/security/vulnerabilities_22.html

Vendor Advisory

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-0896.html

Third Party Advisory

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html

Broken Link

http://support.apple.com/kb/HT5002

Third Party Advisory

https://lists.apache.org/thread.html/r688df6f16f141e966a0a47f817e559312b3da27886f59116a94b273d%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/re2e23465bbdb17ffe109d21b4f192e6b58221cd7aa8797d530b4cd75%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

http://www.redhat.com/support/errata/RHSA-2011-0897.html

Third Party Advisory

https://lists.apache.org/thread.html/r064df0985779b7ee044d3120d71ba59750427cf53f57ba3384e3773f%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13d0f25205e26f15%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00011.html

Third Party Advisory

Mailing List

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22

Third Party Advisory

http://cxib.net/stuff/apache.fnmatch.phps

Patch

Third Party Advisory

http://cxib.net/stuff/apr_fnmatch.txts

Third Party Advisory

http://marc.info/?l=bugtraq&m=131551295528105&w=2

Third Party Advisory

Mailing List

Issue Tracking

http://marc.info/?l=bugtraq&m=131731002122529&w=2

Third Party Advisory

Mailing List

Issue Tracking

http://marc.info/?l=bugtraq&m=132033751509019&w=2

Third Party Advisory

Mailing List

Issue Tracking

http://marc.info/?l=bugtraq&m=134987041210674&w=2

Third Party Advisory

Mailing List

Issue Tracking

http://secunia.com/advisories/44490

Vendor Advisory

Not Applicable

http://secunia.com/advisories/44564

Vendor Advisory

Not Applicable

http://secunia.com/advisories/44574

Vendor Advisory

Not Applicable

http://secunia.com/advisories/48308

Not Applicable

http://securityreason.com/achievement_securityalert/98

Third Party Advisory

Exploit

http://securityreason.com/securityalert/8246

Third Party Advisory

Exploit

http://securitytracker.com/id?1025527

Third Party Advisory

Broken Link

VDB Entry

http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902

Patch

Vendor Advisory

http://svn.apache.org/viewvc?view=revision&revision=1098188

Patch

Vendor Advisory

http://svn.apache.org/viewvc?view=revision&revision=1098799

Patch

Vendor Advisory

http://www.apache.org/dist/apr/Announcement1.x.html

Patch

Vendor Advisory

http://www.apache.org/dist/apr/CHANGES-APR-1.4

Broken Link

http://www.apache.org/dist/httpd/Announcement2.2.html

Patch

Vendor Advisory

http://www.debian.org/security/2011/dsa-2237

Third Party Advisory

http://www.mail-archive.com/dev%40apr.apache.org/msg23960.html

Third Party Advisory

Mailing List

http://www.mail-archive.com/dev%40apr.apache.org/msg23961.html

Third Party Advisory

Mailing List

http://www.mail-archive.com/dev%40apr.apache.org/msg23976.html

Third Party Advisory

Mailing List

http://www.mandriva.com/security/advisories?name=MDVSA-2011:084

Broken Link

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15

Broken Link

http://www.redhat.com/support/errata/RHSA-2011-0507.html

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=703390

Patch

Third Party Advisory

Issue Tracking

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14638

Third Party Advisory

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14804

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2011-0419

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2011-0419

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2011-0419

EUVD