Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-0053

12 documents9 sources
Severity
4.3MEDIUM
EPSS
56.0%
top 1.90%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
11
Apache Http ServerDebian Debian LinuxOpensuse Opensuse+8 more
Timeline
PublishedJan 28
Latest updateMay 4

Description

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages10 packages

NVDapache/http_server2.0.02.0.65+1
Debianapache2< 2.2.22-1+3

Also affects: Debian Linux 5.0, 6.0, 7.0, Enterprise Linux 6.2

Patches

Patch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-x2wg-fp56-xx79: protocol2022-05-04
CVEList
CVE-2012-0053: protocol2012-01-28
OSV
CVE-2012-0053: protocol2012-01-28

💥Exploits & PoCs

1
Exploit-DB
Apache - httpOnly Cookie Disclosure2012-01-31

📋Vendor Advisories

3
Ubuntu
Apache HTTP Server vulnerabilities2012-02-16
Red Hat
httpd: cookie exposure due to error responses2012-01-23
Debian
CVE-2012-0053: apache2 - protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly rest...2012

💬Community

4
Bugzilla
CVE-2012-4407 moodle: Blog file access issue (MSA-12-0053)2012-09-17
Bugzilla
CVE-2012-2922 drupal7: full path disclosure vulnerability2012-05-23
Bugzilla
CVE-2012-0053 httpd: cookie exposure due to error responses2012-01-27
Bugzilla
CVE-2011-3368 CVE-2012-0053 CVE-2012-0031 CVE-2012-0021 CVE-2011-3607 httpd: multiple vulnerabilities [fedora-all]2012-01-27