CVE-2009-1955

HIGH

Description

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

ID	Name	Product	Family	Severity
67876	Oracle Linux 3 : httpd (ELSA-2009-1108)	Nessus	Oracle Linux Local Security Checks	high
67875	Oracle Linux 4 / 5 : apr-util (ELSA-2009-1107)	Nessus	Oracle Linux Local Security Checks	high
60598	Scientific Linux Security Update : httpd on SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
60597	Scientific Linux Security Update : apr-util on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
46217	SuSE9 Security Update : Apache 2 (YOU Patch Number 12613)	Nessus	SuSE Local Security Checks	critical
43758	CentOS 5 : apr-util (CESA-2009:1107)	Nessus	CentOS Local Security Checks	high
43000	Mandriva Linux Security Advisory : apr (MDVSA-2009:314)	Nessus	Mandriva Local Security Checks	critical
800795	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5227	Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
42434	Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	critical
42010	openSUSE 10 Security Update : libapr-util1 (libapr-util1-6288)	Nessus	SuSE Local Security Checks	high
41543	SuSE 10 Security Update : libapr-util1 (ZYPP Patch Number 6289)	Nessus	SuSE Local Security Checks	high
41418	SuSE 11 Security Update : libapr-util1 (SAT Patch Number 969)	Nessus	SuSE Local Security Checks	high
41057	IBM WebSphere Application Server < 6.1.0.27 Multiple Vulnerabilities	Nessus	Web Servers	medium
5183	IBM WebSphere Application Server < 6.1.0.27 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
40760	FreeBSD : apache22 -- several vulnerabilities (e15f2356-9139-11de-8f42-001aa0166822)	Nessus	FreeBSD Local Security Checks	high
800567	Apache < 2.2.12 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
40459	Slackware 12.0 / 12.1 / 12.2 / current : httpd (SSA:2009-214-01)	Nessus	Slackware Local Security Checks	high
5111	Apache < 2.2.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
40467	Apache 2.2.x < 2.2.12 Multiple Vulnerabilities	Nessus	Web Servers	high
40256	openSUSE Security Update : libapr-util1 (libapr-util1-968)	Nessus	SuSE Local Security Checks	high
40022	openSUSE Security Update : libapr-util1 (libapr-util1-968)	Nessus	SuSE Local Security Checks	high
39614	GLSA-200907-03 : APR Utility Library: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
39505	Fedora 11 : apr-util-1.3.7-1.fc11 (2009-6261)	Nessus	Fedora Local Security Checks	high
39504	Fedora 9 : apr-util-1.2.12-7.fc9 (2009-6014)	Nessus	Fedora Local Security Checks	high
39503	Fedora 10 : apr-util-1.3.7-1.fc10 (2009-5969)	Nessus	Fedora Local Security Checks	high
39438	CentOS 3 : httpd (CESA-2009:1108)	Nessus	CentOS Local Security Checks	high
39432	RHEL 3 : httpd (RHSA-2009:1108)	Nessus	Red Hat Local Security Checks	high
39431	RHEL 4 / 5 : apr-util (RHSA-2009:1107)	Nessus	Red Hat Local Security Checks	high
39422	Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : apr-util (SSA:2009-167-02)	Nessus	Slackware Local Security Checks	high
39371	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : apache2 vulnerabilities (USN-787-1)	Nessus	Ubuntu Local Security Checks	high
39363	Ubuntu 8.04 LTS / 8.10 / 9.04 : apr-util vulnerabilities (USN-786-1)	Nessus	Ubuntu Local Security Checks	high
39333	Debian DSA-1812-1 : apr-util - denial of service	Nessus	Debian Local Security Checks	high
39323	Mandriva Linux Security Advisory : apr-util (MDVSA-2009:131)	Nessus	Mandriva Local Security Checks	high
39320	FreeBSD : apr -- multiple vulnerabilities (eb9212f7-526b-11de-bbf2-001b77d09812)	Nessus	FreeBSD Local Security Checks	high

CVE-2009-1955

Description

References

Details

Risk Information

CVSS v2.0