CVE-2012-3502 — Sensitive Information Exposure in Apache Http Server

CWE-200 — Sensitive Information Exposure7 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
3.8%
top 11.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Http Server
Timeline
PublishedAug 22
Latest updateMay 13

Description

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

â–¶NVDapache/http_server2.4.0, 2.4.1, 2.4.2+2

🔴Vulnerability Details

2
GHSA
GHSA-5fh8-x76v-cx49: The proxy functionality in (1) mod_proxy_ajp↗2022-05-13
â–¶
CVEList
CVE-2012-3502: The proxy functionality in (1) mod_proxy_ajp↗2012-08-22
â–¶

📋Vendor Advisories

3
Red Hat
mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling↗2012-08-16
â–¶
Debian
CVE-2012-3502: apache2 - The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (...↗2012
â–¶
Apache
Apache httpd: CVE-2012-3502↗
â–¶

💬Community

1
Bugzilla
CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling↗2012-08-22
â–¶
CVE-2012-3502 — Sensitive Information Exposure | cvebase