CVE-2009-1955

Summary

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

Impact & exploitability

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (2)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: http://marc.info/?l=apr-dev&m=124396021826125&w=2 ↗

Additional information

• NVD record
• http://marc.info/?l=apr-dev&m=124396021826125&w=2Patch
• http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlAdvisory
• http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.htmlAdvisory
• http://marc.info/?l=bugtraq&m=129190899612998&w=2
• http://secunia.com/advisories/34724Advisory
• http://secunia.com/advisories/35284Advisory
• http://secunia.com/advisories/35360Advisory
• http://secunia.com/advisories/35395Advisory