Published: 19/03/2012 Updated: 29/08/2017

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the FcgidMaxProcessesPerClass directive for a virtual host, which makes it easier for remote malicious users to cause a denial of service (memory consumption) via a series of HTTP requests that triggers a process count higher than the intended limit.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache mod fcgid 2.3.6

Debian Bug report logs - #615814 libapache2-mod-fcgid: FcgidMaxProcessesPerClass ignored in VirtualHost Package: libapache2-mod-fcgid; Maintainer for libapache2-mod-fcgid is Xavier Guimard <yadd@debianorg>; Source for libapache2-mod-fcgid is src:libapache2-mod-fcgid (PTS, buildd, popcon) Reported by: jamie <jm@mayfirsto ...

It was discovered that the Apache FCGID module, a FastCGI implementation, did not properly enforce the FcgidMaxProcessesPerClass resource limit, rendering this control ineffective and potentially allowing a virtual host to consume excessive resources For the stable distribution (squeeze), this problem has been fixed in version 1:236-1+squeeze1 ...

CWE-119 http://www.openwall.com/lists/oss-security/2012/03/16/2 https://issues.apache.org/bugzilla/show_bug.cgi?id=49902 http://www.openwall.com/lists/oss-security/2012/03/15/10 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615814 http://www.securityfocus.com/bid/52565 http://www.debian.org/security/2012/dsa-2436 https://exchange.xforce.ibmcloud.com/vulnerabilities/74181 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615814 https://nvd.nist.gov https://www.debian.org/security/./dsa-2436

CVE-2012-1181

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect