CVE-2009-1890 — Uncontrolled Resource Consumption in Apache Http Server

CWE-400 — Uncontrolled Resource Consumption CWE-835 — Infinite Loop10 documents9 sources

Severity

7.1HIGHNVD

EPSS

37.9%

top 2.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Canonical Ubuntu Linux Debian Linux +6 more

Timeline

PublishedJul 5

Latest updateMay 10

Description

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages4 packages

▶NVDapache/http_server2.2.0 — 2.2.12

▶NVDredhat/enterprise_linux_server5.0

▶NVDredhat/enterprise_linux_desktop5.0

▶NVDredhat/enterprise_linux_workstation5.0

Also affects: Debian Linux 4.0, 5.0, 6.0, Fedora 11, Ubuntu Linux 6.06, 8.04, 8.10, 9.04, Enterprise Linux 5.3

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-wvqw-w5hq-v4m4: The stream_reqbody_cl function in mod_proxy_http↗2022-05-02

▶

OSV

CVE-2009-1890: The stream_reqbody_cl function in mod_proxy_http↗2009-07-05

▶

CVEList

CVE-2009-1890: The stream_reqbody_cl function in mod_proxy_http↗2009-07-05

▶

📋Vendor Advisories

Microsoft

CVE-2009-1890: NIST NVD Details: https://nvd↗2022-05-10

▶

Ubuntu

Apache vulnerabilities↗2009-07-13

▶

Red Hat

httpd: mod_proxy reverse proxy DoS (infinite loop)↗2009-07-02

▶

Debian

CVE-2009-1890: apache2 - The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in th...↗2009

▶

💬Community

Bugzilla

CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop)↗2009-07-02

▶

Bugzilla

CVE-2009-1789 eggdrop DoS (crash) [F11]↗2009-05-26

▶