CVE-2009-1195 — Apache Http Server vulnerability

CWE-168 documents8 sources

Severity

4.9MEDIUMNVD

EPSS

0.2%

top 59.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedMay 28

Latest updateMay 2

Description

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.

CVSS vector

AV:L/AC:L/C:N/I:N/A:CExploitability: 3.9 | Impact: 6.9

Affected Packages1 packages

▶NVDapache/http_server9 versions+8

Patches

Patch: svn.apache.org ↗Patch: bugzilla.redhat.com ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-pxp4-3gwj-j6m3: The Apache HTTP Server 2↗2022-05-02

▶

CVEList

CVE-2009-1195: The Apache HTTP Server 2↗2009-05-28

▶

OSV

CVE-2009-1195: The Apache HTTP Server 2↗2009-05-28

▶

📋Vendor Advisories

Ubuntu

Apache vulnerabilities↗2009-06-11

▶

Red Hat

httpd: AllowOverride Options=IncludesNoExec allows Options Includes↗2009-04-22

▶

Debian

CVE-2009-1195: apache2 - The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle ...↗2009

▶

💬Community

Bugzilla

CVE-2009-1195 httpd: AllowOverride Options=IncludesNoExec allows Options Includes↗2009-03-10

▶