CVE-2002-0839

Severity

72%

Complexity

39%

Confidentiality

165%

The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.

CVSS 2.0 Base Score 7.2. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C).

Overview

Type

Apache Software Foundation Apache HTTP Server

First reported 22 years ago

2002-10-11 04:00:00

Last updated 8 years ago

2016-10-18 02:22:00

Affected Software

Apache Software Foundation Apache HTTP Server 1.3.19

1.3.19

Apache Software Foundation Apache HTTP Server 1.3.20

1.3.20

Apache Software Foundation Apache HTTP Server 1.3.22

1.3.22

Apache Software Foundation Apache HTTP Server 1.3.23

1.3.23

Apache Software Foundation Apache HTTP Server 1.3.24

1.3.24

Apache Software Foundation Apache HTTP Server 1.3.25

1.3.25

Apache Software Foundation Apache HTTP Server 1.3.26

1.3.26

References

20021105-01-I

20021015 GLSA: apache

20021017 TSLSA-2002-0069-apache

20021003 iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities

Patch, Vendor Advisory

CLA-2002:530

http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2

20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)

SSRT090208

HPSBUX0210-224

http://www.apacheweek.com/issues/02-10-04

Vendor Advisory

DSA-187

DSA-188

DSA-195

apache-scorecard-memory-overwrite(10280)