CVE-2003-1580 — Apache Http Server vulnerability

CWE-1895 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

1.2%

top 21.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedFeb 5

Latest updateApr 29

Description

The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/http_server2.0.44

🔴Vulnerability Details

GHSA

GHSA-4fhm-3w62-3q2q: The Apache HTTP Server 2↗2022-04-29

▶

CVEList

CVE-2003-1580: The Apache HTTP Server 2↗2010-02-05

▶

OSV

CVE-2003-1580: The Apache HTTP Server 2↗2010-02-05

▶

📋Vendor Advisories

Debian

CVE-2003-1580: apache2 - The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addr...↗2003

▶