Published: 20/07/2014 Updated: 07/11/2023

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 685

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Subscribe to Http Server

Race condition in the mod_status module in the Apache HTTP Server prior to 2.4.10 allows remote malicious users to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache http server
debian debian linux 8.0
debian debian linux 7.0
redhat jboss_enterprise_application_platform 6.0.0
redhat jboss_enterprise_application_platform 6.4.0
oracle secure global desktop 4.71
oracle http server 12.1.3.0
oracle secure global desktop 4.63
oracle enterprise manager ops center 12.1.4
oracle http server 12.1.2.0
oracle http server 11.1.1.7.0
oracle http server 10.1.3.5.0
oracle secure global desktop 5.0
oracle secure global desktop 5.1
oracle enterprise manager ops center 11.1.3

Several security issues were fixed in Apache HTTP Server ...

Several security issues were found in the Apache HTTP server CVE-2014-0118 The DEFLATE input filter (inflates request bodies) in mod_deflate allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size CVE-2014-0226 A race condition was found in m ...

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attac ...

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attac ...

A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attac ...

--[ 0 Sparse summary Race condition between updating httpd's "scoreboard" and mod_status, leading to several critical scenarios like heap buffer overflow with user supplied payload and leaking heap which can leak critical memory containing htaccess credentials, ssl certificates private keys and so on --[ 1 Prerequisites Apache httpd compiled wi ...

CWE-362 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c http://httpd.apache.org/security/vulnerabilities_24.html http://zerodayinitiative.com/advisories/ZDI-14-236/http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c?r1=1588989&r2=1610491&diff_format=h https://bugzilla.redhat.com/show_bug.cgi?id=1120603 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_status.c?r1=1450998&r2=1610491&diff_format=h http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/lua_request.c http://rhn.redhat.com/errata/RHSA-2014-1019.html http://rhn.redhat.com/errata/RHSA-2014-1021.html http://rhn.redhat.com/errata/RHSA-2014-1020.html http://seclists.org/fulldisclosure/2014/Jul/114 http://secunia.com/advisories/60536 http://www.mandriva.com/security/advisories?name=MDVSA-2014:142 http://www.exploit-db.com/exploits/34133 http://www.securityfocus.com/bid/68678 http://www.osvdb.org/109216 http://advisories.mageia.org/MGASA-2014-0304.html http://www.debian.org/security/2014/dsa-2989 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://advisories.mageia.org/MGASA-2014-0305.html http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html https://support.apple.com/HT204659 http://marc.info/?l=bugtraq&m=144493176821532&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://marc.info/?l=bugtraq&m=143403519711434&w=2 https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246 https://security.gentoo.org/glsa/201504-03 http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES http://security.gentoo.org/glsa/glsa-201408-12.xml https://puppet.com/security/cve/cve-2014-0226 https://www.povonsec.com/apache-2-4-7-exploit/https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856abc4615877875f9d3b35ef4%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r83109088737656fa6307bd99ab40f8ff0269ae58d3f7272d7048494a%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E https://usn.ubuntu.com/2299-1/https://nvd.nist.gov https://www.exploit-db.com/exploits/34133/https://access.redhat.com/security/cve/cve-2014-0226

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook