CVE-2011-1928

CWE-3998 documents8 sources

Severity

4.3MEDIUM

EPSS

14.4%

top 5.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Apr-util Apache Http Server

Timeline

PublishedMay 24

Latest updateMay 14

Description

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDapache/http_server2.2.18

▶NVDapache/apr-util1.4.3, 1.4.4+1

▶Debianapr< 1.4.5-1+3

🔴Vulnerability Details

GHSA

GHSA-9h43-8fmr-wxgx: The fnmatch implementation in apr_fnmatch↗2022-05-14

▶

OSV

CVE-2011-1928: The fnmatch implementation in apr_fnmatch↗2011-05-24

▶

CVEList

CVE-2011-1928: The fnmatch implementation in apr_fnmatch↗2011-05-24

▶

📋Vendor Advisories

Ubuntu

APR vulnerabilities↗2011-05-24

▶

Red Hat

apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419↗2011-05-19

▶

Debian

CVE-2011-1928: apr - The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR)...↗2011

▶

💬Community

Bugzilla

CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419↗2011-05-19

▶