CVE-2015-0228

CWE-20 — Improper Input Validation11 documents9 sources

Severity

5.0MEDIUM

EPSS

18.7%

top 4.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apple MAC OS X Apple MAC OS X Server +2 more

Timeline

PublishedMar 8

Latest updateMay 13

Description

The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDapache/http_server2.4.12

▶Debianapache2< 2.4.10-10+3

▶NVDapple/mac_os_x_server5.0.3

▶NVDapple/mac_os_x10.10.4

▶NVDopensuse/opensuse13.2

Also affects: Ubuntu Linux 10.04, 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-73qw-6rjv-mchr: The lua_websocket_read function in lua_request↗2022-05-13

▶

OSV

CVE-2015-0228: The lua_websocket_read function in lua_request↗2015-03-08

▶

CVEList

CVE-2015-0228: The lua_websocket_read function in lua_request↗2015-03-08

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server vulnerabilities↗2015-03-10

▶

Red Hat

httpd: Possible mod_lua crash due to websocket bug↗2015-03-10

▶

Debian

CVE-2015-0228: apache2 - The lua_websocket_read function in lua_request.c in the mod_lua module in the Ap...↗2015

▶

Apple

CVE-2015-0228: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

Apple

CVE-2015-0228: OS X Server v5.0.3↗

▶

💬Community

Bugzilla

CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug [fedora-all]↗2015-06-16

▶

Bugzilla

CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug↗2015-03-17

▶