NULL pointer dereference in Apache Http_server
CVE-2013-2765
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-…
EPSS: 0.054 (90.3th percentile) — read the EPSS interpretation.
Affected products
- Apache Http_server
- Trustwave Modsecurity
- Opensuse — versions 11.4, 12.2, 12.3
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- [mod-security-users] 20130527 Availability of ModSecurity 2.7.4 Stable Release (mailing-list, x_refsource_MLIST, Third Party Advisory)
- openSUSE-SU-2013:1342 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
- cve@mitre.org (x_refsource_CONFIRM, Patch, Third Party Advisory, Issue Tracking)
- openSUSE-SU-2013:1331 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
- 20130528 [SECURITY][CVE-2013-2765][ModSecurity] Remote Null Pointer Dereference (mailing-list, x_refsource_BUGTRAQ, Broken Link)
- cve@mitre.org (x_refsource_CONFIRM, Broken Link)
- cve@mitre.org (Third Party Advisory, x_refsource_MISC)
- cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
- cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC)
- cve@mitre.org (Patch, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2013-2765?
- CVE-2013-2765 is a vulnerability in Apache Http_server, classified under NULL Pointer Dereference. Published 2013-07-15.
- Is CVE-2013-2765 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.