CVE-2008-2364Allocation of Resources Without Limits or Throttling in Apache Http Server

CWE-770Allocation of Resources Without Limits or Throttling10 documents9 sources
Severity
5.0MEDIUMNVD
EPSS
2.2%
top 15.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Apache Http ServerCanonical Ubuntu LinuxFedoraproject Fedora+4 more
Timeline
PublishedJun 13
Latest updateMay 1

Description

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

NVDapache/http_server2.0.352.0.64+1
NVDredhat/enterprise_linux_server3.0, 4.0, 5.0+2
NVDredhat/enterprise_linux_desktop3.0, 4.0, 5.0+2

Also affects: Fedora 8, 9, Ubuntu Linux 6.06, 7.10, 8.04, Enterprise Linux 4.7, 5.2

Patches

Patch: svn.apache.orgPatch: www.securityfocus.comPatch: svn.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-jjpp-hx4r-hqpc: The ap_proxy_http_process_response function in mod_proxy_http2022-05-01
CVEList
CVE-2008-2364: The ap_proxy_http_process_response function in mod_proxy_http2008-06-13
OSV
CVE-2008-2364: The ap_proxy_http_process_response function in mod_proxy_http2008-06-13

📋Vendor Advisories

4
Ubuntu
Apache vulnerabilities2009-03-10
Red Hat
httpd: mod_proxy_http DoS via excessive interim responses from the origin server2008-06-10
Debian
CVE-2008-2364: apache2 - The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy...2008
Apache
Apache httpd: CVE-2008-2364

💬Community

2
Bugzilla
Security: CVE-2008-2364, CVE-2007-6420: Apache 2.2.9 released, offers significant performance/security improvements2008-07-04
Bugzilla
CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server2008-06-16
CVE-2008-2364 — Apache Http Server vulnerability | cvebase