CVE-2007-6422 : The balancer_handler function in mod_proxy

The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.

Published 2008-01-08 18:46:00

Updated 2021-06-06 11:15:15

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2007-6422

Apache » Http Server » Version: N/A
cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.1
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2
cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.3
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.4
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.2
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
Matching versions
Apache » Http Server » Version: 2.2.6
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2007-6422

Top countries where our scanners detected CVE-2007-6422

Top open port discovered on systems with this issue 80

IPs affected by CVE-2007-6422 101,708

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2007-6422!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2007-6422

EPSS FAQ

16.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2007-6422

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2007-6422

CWE-399

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2007-6422

Apache 2008-07-02

Fixed in Apache HTTP Server 2.2.8. http://httpd.apache.org/security/vulnerabilities_22.html

References for CVE-2007-6422

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E

svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2

CVEs referencing this url
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E

svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00562.html

[SECURITY] Fedora 8 Update: httpd-2.2.8-1.fc8

CVEs referencing this url
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E

svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00004.html

[security-announce] SUSE Security Announcement: Apache,Apache2 security problems (SUSE-SA:2008:021) - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E

svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html

CVEs referencing this url
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [6/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail Archives

CVEs referencing this url
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00541.html

[SECURITY] Fedora 7 Update: httpd-2.2.8-1.fc7

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10181

404 Not Found
https://exchange.xforce.ibmcloud.com/vulnerabilities/39476

Apache mod_proxy_balancer balancer_handler function denial of service CVE-2007-6422 Vulnerability Report
http://www.ubuntu.com/usn/usn-575-1

USN-575-1: Apache vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
http://securityreason.com/securityalert/3523

Apache2 CSRF, XSS, Memory Corruption and Denial of Service Vulnerability - CXSecurity.com

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-200803-19.xml

Apache: Multiple vulnerabilities (GLSA 200803-19) — Gentoo security

CVEs referencing this url
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E

svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony Mail

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2008:016

Mandriva

CVEs referencing this url
http://www.securityfocus.com/archive/1/486169/100/0/threaded

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2008-0008.html

Support

CVEs referencing this url
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919@%3Ccvs.httpd.apache.org%3E

CVEs referencing this url
http://www.vupen.com/english/advisories/2008/0048

Site en construction
Vendor Advisory

CVEs referencing this url
http://www.redhat.com/support/errata/RHSA-2008-0009.html

Support

CVEs referencing this url
http://www.securityfocus.com/bid/27236

CVEs referencing this url
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E

Pony Mail!

CVEs referencing this url
http://httpd.apache.org/security/vulnerabilities_22.html

httpd 2.2 vulnerabilities - The Apache HTTP Server Project

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8690

404 Not Found
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be@%3Ccvs.httpd.apache.org%3E

CVEs referencing this url
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E

svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E

svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_

CVEs referencing this url

Jump to