CVE-2009-1955MEDIUM
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
References
http://svn.apache.org/viewvc?view=rev&revision=781403
http://www.debian.org/security/2009/dsa-1812
http://secunia.com/advisories/35284
http://marc.info/?l=apr-dev&m=124396021826125&w=2
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
http://secunia.com/advisories/35360
http://www.openwall.com/lists/oss-security/2009/06/03/4
http://www.mandriva.com/security/advisories?name=MDVSA-2009:131
http://www.securityfocus.com/bid/35253
http://www.ubuntu.com/usn/usn-786-1
http://www.redhat.com/support/errata/RHSA-2009-1108.html
http://www.redhat.com/support/errata/RHSA-2009-1107.html
http://secunia.com/advisories/35487
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210
http://secunia.com/advisories/35444
http://secunia.com/advisories/34724
http://secunia.com/advisories/35395
http://www.ubuntu.com/usn/usn-787-1
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html
http://secunia.com/advisories/35565
http://secunia.com/advisories/35797
http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
http://secunia.com/advisories/35710
http://secunia.com/advisories/35843
http://security.gentoo.org/glsa/glsa-200907-03.xml
http://www.vupen.com/english/advisories/2009/1907
http://secunia.com/advisories/36473
http://wiki.rpath.com/Advisories:rPSA-2009-0123
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
http://support.apple.com/kb/HT3937
http://www.vupen.com/english/advisories/2009/3184
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
http://secunia.com/advisories/37221
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478
http://www.vupen.com/english/advisories/2010/1107
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://marc.info/?l=bugtraq&m=129190899612998&w=2
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
https://www.exploit-db.com/exploits/8842
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12473
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10270
http://www.securityfocus.com/archive/1/506053/100/0/threaded
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
Details
Source: MITRE
Published: 2009-06-08
Updated: 2021-06-06
Type: NVD-CWE-noinfo
Risk Information
CVSS v2
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
Configuration 2
OR
Configuration 3
OR
Configuration 4
OR
Configuration 5
OR
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
Configuration 6
OR
cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
Configuration 7
OR
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 67876 | Oracle Linux 3 : httpd (ELSA-2009-1108) | Nessus | Oracle Linux Local Security Checks | high |
| 67875 | Oracle Linux 4 / 5 : apr-util (ELSA-2009-1107) | Nessus | Oracle Linux Local Security Checks | high |
| 60598 | Scientific Linux Security Update : httpd on SL3.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
| 60597 | Scientific Linux Security Update : apr-util on SL4.x, SL5.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
| 46217 | SuSE9 Security Update : Apache 2 (YOU Patch Number 12613) | Nessus | SuSE Local Security Checks | critical |
| 43758 | CentOS 5 : apr-util (CESA-2009:1107) | Nessus | CentOS Local Security Checks | high |
| 43000 | Mandriva Linux Security Advisory : apr (MDVSA-2009:314) | Nessus | Mandriva Local Security Checks | critical |
| 800795 | Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities | Log Correlation Engine | Operating System Detection | high |
| 5227 | Mac OS X 10.6 < 10.6.2 Multiple Vulnerabilities | Nessus Network Monitor | Generic | critical |
| 42434 | Mac OS X 10.6.x < 10.6.2 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
| 42433 | Mac OS X Multiple Vulnerabilities (Security Update 2009-006) | Nessus | MacOS X Local Security Checks | critical |
| 42010 | openSUSE 10 Security Update : libapr-util1 (libapr-util1-6288) | Nessus | SuSE Local Security Checks | high |
| 41543 | SuSE 10 Security Update : libapr-util1 (ZYPP Patch Number 6289) | Nessus | SuSE Local Security Checks | high |
| 41418 | SuSE 11 Security Update : libapr-util1 (SAT Patch Number 969) | Nessus | SuSE Local Security Checks | high |
| 5183 | IBM WebSphere Application Server < 6.1.0.27 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
| 41057 | IBM WebSphere Application Server < 6.1.0.27 Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 40760 | FreeBSD : apache22 -- several vulnerabilities (e15f2356-9139-11de-8f42-001aa0166822) | Nessus | FreeBSD Local Security Checks | high |
| 800567 | Apache < 2.2.12 Multiple Vulnerabilities | Log Correlation Engine | Web Servers | medium |
| 5111 | Apache < 2.2.12 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
| 40459 | Slackware 12.0 / 12.1 / 12.2 / current : httpd (SSA:2009-214-01) | Nessus | Slackware Local Security Checks | high |
| 40467 | Apache 2.2.x < 2.2.12 Multiple Vulnerabilities | Nessus | Web Servers | high |
| 40256 | openSUSE Security Update : libapr-util1 (libapr-util1-968) | Nessus | SuSE Local Security Checks | high |
| 40022 | openSUSE Security Update : libapr-util1 (libapr-util1-968) | Nessus | SuSE Local Security Checks | high |
| 39614 | GLSA-200907-03 : APR Utility Library: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
| 39505 | Fedora 11 : apr-util-1.3.7-1.fc11 (2009-6261) | Nessus | Fedora Local Security Checks | high |
| 39504 | Fedora 9 : apr-util-1.2.12-7.fc9 (2009-6014) | Nessus | Fedora Local Security Checks | high |
| 39503 | Fedora 10 : apr-util-1.3.7-1.fc10 (2009-5969) | Nessus | Fedora Local Security Checks | high |
| 39438 | CentOS 3 : httpd (CESA-2009:1108) | Nessus | CentOS Local Security Checks | high |
| 39432 | RHEL 3 : httpd (RHSA-2009:1108) | Nessus | Red Hat Local Security Checks | high |
| 39431 | RHEL 4 / 5 : apr-util (RHSA-2009:1107) | Nessus | Red Hat Local Security Checks | high |
| 39422 | Slackware 11.0 / 12.0 / 12.1 / 12.2 / current : apr-util (SSA:2009-167-02) | Nessus | Slackware Local Security Checks | high |
| 39371 | Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : apache2 vulnerabilities (USN-787-1) | Nessus | Ubuntu Local Security Checks | high |
| 39363 | Ubuntu 8.04 LTS / 8.10 / 9.04 : apr-util vulnerabilities (USN-786-1) | Nessus | Ubuntu Local Security Checks | high |
| 39333 | Debian DSA-1812-1 : apr-util - denial of service | Nessus | Debian Local Security Checks | high |
| 39323 | Mandriva Linux Security Advisory : apr-util (MDVSA-2009:131) | Nessus | Mandriva Local Security Checks | high |
| 39320 | FreeBSD : apr -- multiple vulnerabilities (eb9212f7-526b-11de-bbf2-001b77d09812) | Nessus | FreeBSD Local Security Checks | high |