CVE - CVE-2009-1890

CVE-ID
CVE-2009-1890	Learn more at National Vulnerability Database (NVD) • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20091112 rPSA-2009-0142-1 httpd mod_ssl URL:http://www.securityfocus.com/archive/1/archive/1/507852/100/0/threaded BUGTRAQ:20091113 rPSA-2009-0142-2 httpd mod_ssl URL:http://www.securityfocus.com/archive/1/archive/1/507857/100/0/threaded CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?revision=790587 CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587 CONFIRM:http://svn.apache.org/viewvc?view=rev&revision=790587 CONFIRM:http://support.apple.com/kb/HT3937 CONFIRM:http://wiki.rpath.com/Advisories:rPSA-2009-0142 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html AIXAPAR:PK91259 URL:http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259 AIXAPAR:PK99480 URL:http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480 APPLE:APPLE-SA-2009-11-09-1 URL:http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html DEBIAN:DSA-1834 URL:http://www.debian.org/security/2009/dsa-1834 FEDORA:FEDORA-2009-8812 URL:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html GENTOO:GLSA-200907-04 URL:http://security.gentoo.org/glsa/glsa-200907-04.xml HP:HPSBUX02612 URL:http://marc.info/?l=bugtraq&m=129190899612998&w=2 HP:SSRT100345 URL:http://marc.info/?l=bugtraq&m=129190899612998&w=2 MANDRIVA:MDVSA-2009:149 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2009:149 MANDRIVA:MDVSA-2013:150 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 REDHAT:RHSA-2009:1148 URL:https://rhn.redhat.com/errata/RHSA-2009-1148.html REDHAT:RHSA-2009:1156 URL:http://www.redhat.com/support/errata/RHSA-2009-1156.html SUSE:SUSE-SA:2009:050 URL:http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html UBUNTU:USN-802-1 URL:http://www.ubuntu.com/usn/USN-802-1 BID:35565 URL:http://www.securityfocus.com/bid/35565 OSVDB:55553 URL:http://osvdb.org/55553 OVAL:oval:org.mitre.oval:def:8616 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8616 OVAL:oval:org.mitre.oval:def:9403 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9403 OVAL:oval:org.mitre.oval:def:12330 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12330 SECTRACK:1022509 URL:http://www.securitytracker.com/id?1022509 SECUNIA:35691 URL:http://secunia.com/advisories/35691 SECUNIA:35721 URL:http://secunia.com/advisories/35721 SECUNIA:35793 URL:http://secunia.com/advisories/35793 SECUNIA:35865 URL:http://secunia.com/advisories/35865 SECUNIA:37152 URL:http://secunia.com/advisories/37152 SECUNIA:37221 URL:http://secunia.com/advisories/37221 VUPEN:ADV-2009-3184 URL:http://www.vupen.com/english/advisories/2009/3184
Assigning CNA
N/A
Date Entry Created
20090602	Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20090602)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE list, which standardizes names for security problems.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Use of the Common Vulnerabilities and Exposures List and the associated references from this Web site are subject to the Terms of Use. For more information, please email cve@mitre.org.

CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 1999–2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks and CVE-Compatible is a trademark of The MITRE Corporation.

Site Map
Privacy policy
Terms of use
Contact us