CVE-2015-0253
CVE-2015-0253
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://httpd.apache.org/security/vulnerabilities_24.htmlhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1666.htmlhttps://bz.apache.org/bugzilla/show_bug.cgi?id=57531https://github.com/apache/httpd/commit/6a974059190b8a0c7e499f4ab12fe108127099cbhttps://github.com/apache/httpd/commit/be0f5335e3e73eb63253b050fdc23f252f5c8ae3https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E