CVE-2015-0253

CWE-476 — NULL Pointer Dereference9 documents7 sources

Severity

5.0MEDIUM

EPSS

10.6%

top 6.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apple MAC OS X Apple MAC OS X Server +2 more

Timeline

PublishedJul 20

Latest updateMay 13

Description

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDapache/http_server2.4.12

▶NVDapple/mac_os_x_server5.0.3

▶NVDoracle/linux7

▶NVDapple/mac_os_x10.10.4

▶NVDoracle/solaris11.3

🔴Vulnerability Details

GHSA

GHSA-4g3x-jprw-h46m: The read_request_line function in server/protocol↗2022-05-13

▶

CVEList

CVE-2015-0253: The read_request_line function in server/protocol↗2015-07-20

▶

📋Vendor Advisories

Red Hat

httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path↗2015-07-15

▶

Debian

CVE-2015-0253: apache2 - The read_request_line function in server/protocol.c in the Apache HTTP Server 2....↗2015

▶

Apple

CVE-2015-0253: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

Apple

CVE-2015-0253: OS X Server v5.0.3↗

▶

💬Community

Bugzilla

CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path↗2015-07-16

▶

Bugzilla

CVE-2015-3185 CVE-2015-3183 CVE-2015-0253 httpd: various flaws [fedora-all]↗2015-07-16

▶