CVE-2013-6438 — Improper Input Validation in Apache Http Server

CWE-20 — Improper Input Validation CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer10 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

30.2%

top 3.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Canonical Ubuntu Linux Oracle Http Server

Timeline

PublishedMar 18

Latest updateMay 13

Description

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDapache/http_server2.2.0 — 2.2.27+1

▶NVDoracle/http_server4 versions+3

Also affects: Ubuntu Linux 10.04, 12.04, 12.10, 13.10

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-2xpp-q4gq-7cc3: The dav_xml_get_cdata function in main/util↗2022-05-13

▶

CVEList

CVE-2013-6438: The dav_xml_get_cdata function in main/util↗2014-03-18

▶

OSV

CVE-2013-6438: The dav_xml_get_cdata function in main/util↗2014-03-18

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2014-03-24

▶

Red Hat

httpd: mod_dav denial of service via crafted DAV WRITE request↗2013-10-03

▶

Debian

CVE-2013-6438: apache2 - The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apach...↗2013

▶

Apple

CVE-2013-6438: OS X Yosemite v10.10.3 and Security Update 2015-004↗

▶

💬Community

Bugzilla

CVE-2013-6438 CVE-2014-0098 httpd: various flaws [fedora-all]↗2014-03-18

▶

Bugzilla

CVE-2013-6438 httpd: mod_dav denial of service via crafted DAV WRITE request↗2014-03-18

▶