CVE-2014-0098 — Improper Handling of Syntactically Invalid Structure in Apache Http Server

CWE-228 — Improper Handling of Syntactically Invalid Structure CWE-125 — Out-of-bounds Read CWE-20 — Improper Input Validation11 documents10 sources

Severity

5.0MEDIUMNVD

EPSS

41.0%

top 2.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Canonical Ubuntu Linux Oracle Http Server +1 more

Timeline

PublishedMar 18

Latest updateMay 13

Description

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDapache/http_server2.2.0 — 2.2.27+1

▶NVDoracle/http_server4 versions+3

▶NVDoracle/secure_global_desktop4 versions+3

Also affects: Ubuntu Linux 10.04, 12.04, 12.10, 13.10

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-mfxf-5vhj-623g: The log_cookie function in mod_log_config↗2022-05-13

▶

OSV

CVE-2014-0098: The log_cookie function in mod_log_config↗2014-03-18

▶

CVEList

CVE-2014-0098: The log_cookie function in mod_log_config↗2014-03-18

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2014-03-24

▶

Red Hat

httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS↗2014-03-07

▶

Debian

CVE-2014-0098: apache2 - The log_cookie function in mod_log_config.c in the mod_log_config module in the ...↗2014

▶

Apple

CVE-2014-0098: OS X Yosemite v10.10.3 and Security Update 2015-004↗

▶

Apache

Apache httpd: CVE-2014-0098↗

▶

💬Community

Bugzilla

CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS↗2014-03-18

▶

Bugzilla

CVE-2013-6438 CVE-2014-0098 httpd: various flaws [fedora-all]↗2014-03-18

▶