CVE-2015-0253

Severity

50%

Complexity

99%

Confidentiality

48%

CWE-476: NULL Pointer Dereference

The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.

CWE-476: NULL Pointer Dereference

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Overview

First reported 9 years ago

2015-07-20 23:59:00

Last updated 5 years ago

2019-12-27 16:08:00

Affected Software

Apache Software Foundation Apache HTTP Server 2.4.12

2.4.12

Apple Mac OS X 10.10.4

10.10.4

Apple Mac OS X Server 5.0.3

5.0.3

Oracle Solaris 11.3

11.3

References

http://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

APPLE-SA-2015-08-13-2

Mailing List

APPLE-SA-2015-09-16-4

Mailing List

RHSA-2015:1666

http://www.apache.org/dist/httpd/CHANGES_2.4

Release Notes, Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Third Party Advisory

75964

1032967

https://bz.apache.org/bugzilla/show_bug.cgi?id=57531

Issue Tracking

https://github.com/apache/httpd/commit/6a974059190b8a0c7e499f4ab12fe108127099cb

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

https://support.apple.com/HT205219

Third Party Advisory

https://support.apple.com/kb/HT205031

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.