CVE-2012-0021 — Improper Input Validation in Apache Http Server

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference10 documents8 sources

Severity

2.6LOWNVD

EPSS

33.0%

top 3.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedJan 28

Latest updateMay 4

Description

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.

CVSS vector

AV:N/AC:H/C:N/I:N/A:PExploitability: 4.9 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/http_server5 versions+4

Patches

Patch: svn.apache.org ↗Patch: issues.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-mq76-p4cp-m2vg: The log_cookie function in mod_log_config↗2022-05-04

▶

OSV

CVE-2012-0021: The log_cookie function in mod_log_config↗2012-01-28

▶

CVEList

CVE-2012-0021: The log_cookie function in mod_log_config↗2012-01-28

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2012-02-16

▶

Debian

CVE-2012-0021: apache2 - The log_cookie function in mod_log_config.c in the mod_log_config module in the ...↗2012

▶

Red Hat

httpd: NULL pointer dereference crash in mod_log_config↗2011-11-28

▶

💬Community

Bugzilla

CVE-2011-3368 CVE-2012-0053 CVE-2012-0031 CVE-2012-0021 CVE-2011-3607 httpd: multiple vulnerabilities [fedora-all]↗2012-01-27

▶

Bugzilla

CVE-2012-0021 httpd: crash in mod_log_config [fedora-all]↗2012-01-27

▶

Bugzilla

CVE-2012-0021 httpd: NULL pointer dereference crash in mod_log_config↗2012-01-27

▶