Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2011-1176

Published: 29/03/2011 Updated: 16/11/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Mpm-itk Project

Vulnerability Summary

The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote malicious users to gain privileges by leveraging the root uid and root gid of an mpm-itk process.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mpm-itk_project mpm-itk 2.2.11-01

mpm-itk_project mpm-itk 2.2.11-02

debian debian linux 5.0

debian debian linux 6.0

debian debian linux 7.0

Vendor Advisories

Debian CVElist Bug Report Logs: apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used.
Debian Bug report logs - #618857 apache2-mpm-itk: if you do not assign a user ID, the default one from Apache is _NOT_ used Package: apache2-mpm-itk; Maintainer for apache2-mpm-itk is Debian Apache Maintainers <debian-apache@listsdebianorg>; Source for apache2-mpm-itk is src:apache2 (PTS, buildd, popcon) Reported by: Samu ...
Ubuntu Security Notice: apache2, apache2-mpm-itk vulnerabilities
Multiple vulnerabilities and a regression were fixed in the Apache HTTP server ...
Debian Security Advisories: DSA-2202-1 apache2 -- failure to drop root privileges
MPM_ITK is an alternative Multi-Processing Module for Apache HTTPD that is included in Debian's apache2 package A configuration parsing flaw has been found in MPM_ITK If the configuration directive NiceValue was set, but no AssignUserID directive was specified, the requests would be processed as user and group root instead of the default Apache u ...

References

NVD-CWE-noinfohttp://openwall.com/lists/oss-security/2011/03/20/1http://www.securityfocus.com/bid/46953http://openwall.com/lists/oss-security/2011/03/21/13http://www.vupen.com/english/advisories/2011/0749http://lists.err.no/pipermail/mpm-itk/2011-March/000393.htmlhttp://www.debian.org/security/2011/dsa-2202http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857http://lists.err.no/pipermail/mpm-itk/2011-March/000394.htmlhttp://www.vupen.com/english/advisories/2011/0748http://www.mandriva.com/security/advisories?name=MDVSA-2011:057http://www.vupen.com/english/advisories/2011/0824https://exchange.xforce.ibmcloud.com/vulnerabilities/66248https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857https://nvd.nist.govhttps://usn.ubuntu.com/1259-1/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook