Vulnerability Details : CVE-2012-0053
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Exploit prediction scoring system (EPSS) score for CVE-2012-0053
Probability of exploitation activity in the next 30 days: 96.72%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-0053
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
[email protected] |
References for CVE-2012-0053
-
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
Broken Link;Mailing List
-
http://rhn.redhat.com/errata/RHSA-2012-0542.html
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html
Mailing List;Third Party Advisory
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
Broken Link
-
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://marc.info/?l=bugtraq&m=133951357207000&w=2
Issue Tracking;Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13d0f25205e26f15@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:012
Broken Link
-
https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://marc.info/?l=bugtraq&m=136441204617335&w=2
Issue Tracking;Mailing List;Third Party Advisory
-
http://www.debian.org/security/2012/dsa-2405
Third Party Advisory
-
http://kb.juniper.net/JSA10585
Third Party Advisory
-
http://marc.info/?l=bugtraq&m=133494237717847&w=2
Issue Tracking;Mailing List;Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
Third Party Advisory
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
Broken Link
-
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Third Party Advisory
-
http://www.securityfocus.com/bid/51706
Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://svn.apache.org/viewvc?view=revision&revision=1235454
Patch;Vendor Advisory
-
http://marc.info/?l=bugtraq&m=133294460209056&w=2
Issue Tracking;Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=785069
Issue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://httpd.apache.org/security/vulnerabilities_22.html
Vendor Advisory
-
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2012-0128.html
Third Party Advisory
-
http://support.apple.com/kb/HT5501
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html
Mailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2012-0543.html
Third Party Advisory
-
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
Mailing List;Vendor Advisory
Products affected by CVE-2012-0053
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_server:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:storage:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp4:*:*:-:*:*:*
- cpe:2.3:o:suse:linux_enterprise_software_development_kit:10:sp4:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*