CVE-2010-0434 — Sensitive Information Exposure in Apache Http Server

CWE-200 — Sensitive Information Exposure9 documents9 sources

Severity

4.3MEDIUMNVD

EPSS

2.6%

top 14.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Debian Linux Fedoraproject Fedora

Timeline

PublishedMar 5

Latest updateMay 2

Description

The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/http_server2.0.35 — 2.0.64+1

Also affects: Debian Linux 5.0, 6.0, Fedora 11, 13

Patches

Patch: httpd.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-jm28-fmm3-4cr6: The ap_read_request function in server/protocol↗2022-05-02

▶

CVEList

CVE-2010-0434: The ap_read_request function in server/protocol↗2010-03-05

▶

OSV

CVE-2010-0434: The ap_read_request function in server/protocol↗2010-03-05

▶

📋Vendor Advisories

Ubuntu

Apache vulnerabilities↗2010-03-10

▶

Debian

CVE-2010-0434: apache2 - The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2....↗2010

▶

Red Hat

httpd: request header information leak↗2009-12-09

▶

Apache

Apache httpd: CVE-2010-0434↗

▶

💬Community

Bugzilla

CVE-2010-0434 httpd: request header information leak↗2010-03-03

▶