Vulnerability in Apache Http_server
CVE-2012-0053
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies vi…
EPSS: 0.338 (97.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Http_server
- Debian Debian_linux — versions 5.0, 6.0, 7.0
- Opensuse — versions 11.4
- Redhat Enterprise_linux — versions 5.0, 6.0
- Redhat Enterprise_linux_desktop — versions 6.0
- Redhat Enterprise_linux_eus — versions 6.2
- Redhat Enterprise_linux_server — versions 6.0
- Redhat Enterprise_linux_workstation — versions 6.0
- Redhat Jboss_enterprise_web_server — versions 1.0.0
- Redhat Storage — versions 2.0
Public proof-of-concept exploits
References
- HPSBMU02786 (x_refsource_HP, vendor-advisory, Broken Link)
- MDVSA-2012:012 (vendor-advisory, x_refsource_MANDRIVA, Broken Link)
- 51706 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
- SSRT101112 (x_refsource_HP, vendor-advisory, Mailing List, Third Party Advisory, Issue Tracking)
- RHSA-2012:0543 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- SSRT100772 (x_refsource_HP, vendor-advisory, Mailing List, Third Party Advisory, Issue Tracking)
- RHSA-2012:0128 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
- RHSA-2012:0542 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
Frequently asked questions
- What is CVE-2012-0053?
- CVE-2012-0053 is a vulnerability in Apache Http_server. Published 2012-01-28.
- Is CVE-2012-0053 known to be exploited?
- 34 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.