CVE-2016-2161

CWE-823 CWE-20 — Improper Input Validation13 documents9 sources

Severity

7.5HIGH

EPSS

33.2%

top 3.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Http Server Apache Http Server

Timeline

PublishedJul 27

Latest updateMay 13

Description

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/http_server17 versions+16

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 to 2.4.23

▶Debianapache2< 2.4.25-1+3

▶Ubuntuapache2< 2.4.7-1ubuntu4.15+1

🔴Vulnerability Details

GHSA

GHSA-3v6f-955w-932h: In Apache HTTP Server versions 2↗2022-05-13

▶

CVEList

CVE-2016-2161: In Apache HTTP Server versions 2↗2017-07-27

▶

OSV

CVE-2016-2161: In Apache HTTP Server versions 2↗2017-07-27

▶

OSV

apache2 vulnerabilities↗2017-05-09

▶

📋Vendor Advisories

Apple

CVE-2016-2161: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan↗2017-10-31

▶

Apple

CVE-2016-2161: macOS High Sierra 10.13↗2017-09-25

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2017-05-09

▶

Apple

CVE-2016-2161: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite↗2017-03-27

▶

Red Hat

httpd: DoS vulnerability in mod_auth_digest↗2016-12-20

▶

💬Community

Bugzilla

CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 httpd: various flaws [fedora-all]↗2016-12-21

▶

Bugzilla

CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest↗2016-12-21

▶