Description
mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- apache / http_server2.0.39 – 2.0.39
- apache / http_server2.0.40 – 2.0.40
References
- MISChttp://securitytracker.com/id?1007823
- MAILING_LISThttp://seclists.org/bugtraq/2002/Sep/0253.html
- MISChttp://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/generators/mod_cgi.c?r1=1.148.2.7&r2=1.148.2.8
- MISChttp://www.securityfocus.com/bid/8725
- MISChttp://issues.apache.org/bugzilla/show_bug.cgi?id=10515
- MISChttp://www.iss.net/security_center/static/10200.php
- MISChttp://www.securityfocus.com/bid/5787
- MAILING_LISThttp://marc.info/?l=apache-httpd-dev&m=103291952019514&w=2
- MISChttp://issues.apache.org/bugzilla/show_bug.cgi?id=22030