CVE-2011-0419

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 16-05-2011 07:55

Last modified: - 26-09-2022 05:45

Total changes: - 6

Description

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:M/Au:N/C:N/I:N/A:P

Low

Attack complexity

Network

Attack vector

Low

Availability

None

Confidentiality

None

Integrity

Privileges required

Scope

User interaction

4.3

Base score

8.6

2.9

Exploitability score

Impact score

Verification logic

Reference

http://cxib.net/stuff/apr_fnmatch.txts
20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)-Exploit, Third Party Advisory
[dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released-Third Party Advisory
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15
http://www.apache.org/dist/apr/CHANGES-APR-1.4
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1098188
44490-Not Applicable, Vendor Advisory
RHSA-2011:0507-Third Party Advisory
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22
http://www.apache.org/dist/apr/Announcement1.x.html
1025527-Broken Link, Third Party Advisory, VDB Entry
[dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3-Third Party Advisory
http://www.apache.org/dist/httpd/Announcement2.2.html
44564-Not Applicable, Vendor Advisory
[dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released-Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=703390
http://cxib.net/stuff/apache.fnmatch.phps
http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902
http://svn.apache.org/viewvc?view=revision&revision=1098799
44574-Not Applicable, Vendor Advisory
DSA-2237-Third Party Advisory
MDVSA-2011:084-Broken Link
RHSA-2011:0897-Third Party Advisory
RHSA-2011:0896-Third Party Advisory
8246-Exploit, Third Party Advisory
APPLE-SA-2011-10-12-3-Broken Link
http://support.apple.com/kb/HT5002
HPSBUX02702-Issue Tracking, Mailing List, Third Party Advisory
HPSBUX02707-Issue Tracking, Mailing List, Third Party Advisory
SSRT100619-Issue Tracking, Mailing List, Third Party Advisory
SUSE-SU-2011:1229-Mailing List, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
SSRT100966-Issue Tracking, Mailing List, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
MDVSA-2013:150-Broken Link
oval:org.mitre.oval:def:14804-Third Party Advisory
oval:org.mitre.oval:def:14638-Third Party Advisory
48308-Not Applicable
[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.html security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073149 [8/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1888222 - in /httpd/site/trunk/content/security/json: CVE-2010-2068.json CVE-2010-2791.json CVE-2011-0419.json CVE-2011-3368.json-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1888194 [7/13] - /httpd/site/trunk/content/security/json/-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073139 [7/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/-Mailing List, Vendor Advisory
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Mailing List, Vendor Advisory
[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Mailing List, Vendor Advisory

Keywords

CVE-2011-0419

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2011-0419

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures