CVE-2013-1896

Severity

43%

Complexity

86%

Confidentiality

48%

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P).

Overview

Type

Apache HTTP Server

First reported 11 years ago

2013-07-10 20:55:00

Last updated 7 years ago

2017-09-19 01:36:00

Affected Software

Apache Software Foundation Apache HTTP Server 2.2.0

2.2.0

Apache Software Foundation Apache HTTP Server 2.2.1

2.2.1

Apache Software Foundation Apache HTTP Server 2.2.2

2.2.2

Apache Software Foundation Apache HTTP Server 2.2.3

2.2.3

Apache Software Foundation Apache HTTP Server 2.2.4

2.2.4

Apache Software Foundation Apache HTTP Server 2.2.6

2.2.6

Apache Software Foundation Apache HTTP Server 2.2.8

2.2.8

Apache Software Foundation Apache HTTP Server 2.2.9

2.2.9

Apache Software Foundation Apache HTTP Server 2.2.10

2.2.10

Apache Software Foundation Apache HTTP Server 2.2.11

2.2.11

Apache Software Foundation Apache HTTP Server 2.2.12

2.2.12

Apache Software Foundation Apache HTTP Server 2.2.13

2.2.13

Apache Software Foundation Apache HTTP Server 2.2.14

2.2.14

Apache Software Foundation Apache HTTP Server 2.2.15

2.2.15

Apache Software Foundation Apache HTTP Server 2.2.16

2.2.16

Apache Software Foundation Apache HTTP Server 2.2.17

2.2.17

Apache Software Foundation Apache HTTP Server 2.2.18

2.2.18

Apache Software Foundation Apache HTTP Server 2.2.19

2.2.19

Apache Software Foundation Apache HTTP Server 2.2.20

2.2.20

Apache HTTP Server 2.2.21

2.2.21

Apache Software Foundation Apache HTTP Server 2.2.22

2.2.22

Apache Software Foundation Apache HTTP Server 2.2.23

2.2.23

Apache Software Foundation Apache HTTP Server

References

openSUSE-SU-2013:1337

openSUSE-SU-2013:1340

openSUSE-SU-2013:1341

RHSA-2013:1156

RHSA-2013:1207

RHSA-2013:1208

RHSA-2013:1209

55032

http://support.apple.com/kb/HT6150

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h

Exploit, Patch

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log

20130822 Apache HTTP Server MERGE Request Denial of Service Vulnerability

http://www.apache.org/dist/httpd/Announcement2.2.html

Vendor Advisory

61129

USN-1903-1

http://www-01.ibm.com/support/docview.wss?uid=swg21644047

SSRT101288

https://httpd.apache.org/security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

oval:org.mitre.oval:def:18835

oval:org.mitre.oval:def:19747

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.