CVE-2009-1890
HIGH severity · CVSS 7.1 · Uncontrolled resource consumption
7.1CVSS HIGH
Summary
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.
Impact & exploitability
Attack vectorNetwork
Attack complexity—
Privileges required—
User interaction—
Confidentiality impactNone
Integrity impactNone
Availability impact—
Exploit probability (EPSS)16%
AV:N/AC:M/Au:N/C:N/I:N/A:C
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://secunia.com/advisories/35691Advisory
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.htmlAdvisory
- http://marc.info/?l=bugtraq&m=129190899612998&w=2Advisory
- http://osvdb.org/55553
- http://secunia.com/advisories/35721
- http://secunia.com/advisories/35793
- http://secunia.com/advisories/35865