Denial of Service in Apache APR-util Versions
CVE-2009-0023

Currently unrated

Key Information:

Vendor: Apache
Status: Apr-util
Vendor: CVE Published:; 8 June 2009

Summary

The apr_strmatch_precompile function in Apache APR-util prior to version 1.3.5 is susceptible to a vulnerability that allows remote attackers to exploit crafted input, possibly leading to a denial of service condition, including a crash of the daemon. This can occur through various means such as manipulating a .htaccess file in conjunction with the Apache HTTP Server, exploiting directives in the mod_dav_svn module, or leveraging the mod_apreq2 module, as well as applications using the libapreq2 library. The vulnerability is characterized by a heap-based buffer underflow that can disrupt the normal operation of affected services.

References

http://secunia.com/advisories/35487

third-party-advisoryx_refsource_SECUNIA

http://www.debian.org/security/2009/dsa-1812

vendor-advisoryx_refsource_DEBIAN

http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3

x_refsource_CONFIRM

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 8, 2009
Vulnerability Reserved
Dec 15, 2008