CVE-2014-3523 — Missing Release of Memory after Effective Lifetime in Apache Http Server

CWE-3997 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

35.2%

top 2.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server

Timeline

PublishedJul 20

Latest updateMay 13

Description

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/http_server8 versions+7

Patches

Patch: httpd.apache.org ↗Patch: httpd.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-jvhm-2h34-2h38: Memory leak in the winnt_accept function in server/mpm/winnt/child↗2022-05-13

▶

CVEList

CVE-2014-3523: Memory leak in the winnt_accept function in server/mpm/winnt/child↗2014-07-20

▶

📋Vendor Advisories

Red Hat

httpd: WinNT MPM denial of service↗2014-07-15

▶

Debian

CVE-2014-3523: apache2 - Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinN...↗2014

▶

Apache

Apache httpd: CVE-2014-3523↗

▶

💬Community

Bugzilla

CVE-2014-3523 httpd: WinNT MPM denial of service↗2014-07-21

▶