Vulnerability Details : CVE-2009-0023
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow.
Vulnerability category: OverflowDenial of service
Products affected by CVE-2009-0023
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apr-util:1.1.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-0023
3.94%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-0023
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2009-0023
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-0023
-
http://secunia.com/advisories/35797
About Secunia Research | FlexeraThird Party Advisory
-
http://marc.info/?l=bugtraq&m=129190899612998&w=2
'[security bulletin] HPSBUX02612 SSRT100345 rev.1 - HP-UX Apache-based Web Server, Local Information' - MARCThird Party Advisory
-
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Third Party Advisory
-
http://www.vupen.com/english/advisories/2009/3184
Webmail: access your OVH emails on ovhcloud.com | OVHcloudThird Party Advisory
-
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Third Party Advisory
-
http://wiki.rpath.com/Advisories:rPSA-2009-0144
Third Party Advisory
-
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Third Party Advisory
-
http://secunia.com/advisories/35284
About Secunia Research | FlexeraThird Party Advisory;Vendor Advisory
-
http://www.debian.org/security/2009/dsa-1812
Debian -- Security Information -- DSA-1812-1 apr-utilPatch;Third Party Advisory
-
https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165%40%3Ccvs.httpd.apache.org%3E
svn commit: r1074079 [2/3] - in /websites/staging/httpd/trunk/content: ./ apreq/ contribute/ contributors/ dev/ docs-project/ docs/ info/ mod_fcgid/ mod_ftp/ mod_mbox/ mod_smtpd/ modules/ security/ teThird Party Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
Fix list for IBM WebSphere Application Server V7.0Third Party Advisory
-
http://www.vupen.com/english/advisories/2009/1907
Webmail: access your OVH emails on ovhcloud.com | OVHcloudThird Party Advisory
-
http://secunia.com/advisories/37221
About Secunia Research | FlexeraThird Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html
[SECURITY] Fedora 11 Update: apr-util-1.3.7-1.fc11Third Party Advisory
-
http://www.ubuntu.com/usn/usn-787-1
USN-787-1: Apache vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
http://secunia.com/advisories/35843
About Secunia Research | FlexeraThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:131
Page not found - Mandriva.comThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
Oracle Critical Patch Update - April 2013Third Party Advisory
-
http://secunia.com/advisories/35487
About Secunia Research | FlexeraThird Party Advisory
-
http://support.apple.com/kb/HT3937
Page Not Found - Apple SupportThird Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
mandriva.comThird Party Advisory
-
http://secunia.com/advisories/35444
About Secunia Research | FlexeraThird Party Advisory
-
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html sThird Party Advisory
-
http://www.securityfocus.com/bid/35221
Third Party Advisory;VDB Entry
-
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html
[SECURITY] Fedora 10 Update: apr-util-1.3.7-1.fc10Third Party Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
PK91241: Z/OS IBM HTTP SERVER FOR WEBSPHERE (POWERED BY APACHE) FIX PACK 6.1.0.27Third Party Advisory
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail ArchivesThird Party Advisory
-
http://secunia.com/advisories/35360
About Secunia Research | FlexeraThird Party Advisory;Vendor Advisory
-
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
404 Not FoundThird Party Advisory
-
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Third Party Advisory
-
http://security.gentoo.org/glsa/glsa-200907-03.xml
APR Utility Library: Multiple vulnerabilities (GLSA 200907-03) — Gentoo securityThird Party Advisory
-
http://secunia.com/advisories/35395
About Secunia Research | FlexeraThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10968
404 Not FoundThird Party Advisory
-
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E
Apache Mail ArchivesThird Party Advisory
-
http://secunia.com/advisories/35710
About Secunia Research | FlexeraThird Party Advisory
-
http://www.securityfocus.com/archive/1/507855/100/0/threaded
Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Third Party Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PK88341
IBM notice: The page you requested cannot be displayedThird Party Advisory
-
http://secunia.com/advisories/35565
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/34724
About Secunia Research | FlexeraThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=503928
503928 – (CVE-2009-0023) CVE-2009-0023 apr-util heap buffer underwriteIssue Tracking;Patch;Third Party Advisory
-
http://svn.apache.org/viewvc?view=rev&revision=779880
[Apache-SVN] Revision 779880Third Party Advisory
-
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E
Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E
Apache Mail ArchivesThird Party Advisory
-
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
Mailing List;Third Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html
[SECURITY] Fedora 9 Update: apr-util-1.2.12-7.fc9Third Party Advisory
-
http://www.redhat.com/support/errata/RHSA-2009-1108.html
SupportThird Party Advisory
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210
The Slackware Linux Project: Slackware Security AdvisoriesThird Party Advisory
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Apache Mail ArchivesThird Party Advisory
-
http://www.redhat.com/support/errata/RHSA-2009-1107.html
SupportThird Party Advisory
-
http://www.ubuntu.com/usn/usn-786-1
USN-786-1: apr-util vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.htmlThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12321
404 Not FoundThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/50964
Apache APR-util apr_strmatch_precompile() denial of service CVE-2009-0023 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478
PK99478: SHIP APAR FIXES FOR H28W700 FIX PACK 7.0.0.7.Third Party Advisory
-
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Third Party Advisory
Jump to