Vulnerability Details : CVE-2012-2138
The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service (infinite loop) via a crafted HTTP request.
Vulnerability category: Denial of service
Products affected by CVE-2012-2138
- cpe:2.3:a:apache:org.apache.sling.servlets.post:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-2138
0.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-2138
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-2138
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2138
-
http://mail-archives.apache.org/mod_mbox/www-announce/201207.mbox/%3CCAEWfVJ=PwoQmwJg0KmbrC17Gw51kgfKRsqgy=4RpMQsdGh0bVg@mail.gmail.com%3E
[SECURITY] CVE-2012-2138 Apache Sling denial of service vulnerability
-
http://svn.apache.org/viewvc?view=revision&revision=1352865
[Apache-SVN] Revision 1352865
-
https://issues.apache.org/jira/browse/SLING-2517
[SLING-2517] Add validity checks to CopyFrom POST operation paths - ASF JIRA
Jump to