CVE-2009-3095

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.

References

http://intevydis.com/vd-list.shtml

http://secunia.com/advisories/37152

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html

http://www.debian.org/security/2009/dsa-1934

http://wiki.rpath.com/Advisories:rPSA-2009-0155

https://bugzilla.redhat.com/show_bug.cgi?id=522209

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html

https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html

http://support.apple.com/kb/HT4077

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://marc.info/?l=bugtraq&m=130497311408250&w=2

http://marc.info/?l=bugtraq&m=126998684522511&w=2

http://marc.info/?l=bugtraq&m=133355494609819&w=2

http://marc.info/?l=bugtraq&m=127557640302499&w=2

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9363

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8662

http://www.securityfocus.com/archive/1/508075/100/0/threaded

https://lists.apache.org/thread.html/54a42d4b0[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2009-09-08

Updated: 2021-06-06

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Tenable Plugins

View all (29 total)

IDNameProductFamilySeverity
67959Oracle Linux 4 : httpd (ELSA-2009-1580)NessusOracle Linux Local Security Checks
high
67958Oracle Linux 3 / 5 : httpd (ELSA-2009-1579)NessusOracle Linux Local Security Checks
high
67074CentOS 4 : httpd (CESA-2009:1580)NessusCentOS Local Security Checks
high
67073CentOS 3 / 5 : httpd (CESA-2009:1579)NessusCentOS Local Security Checks
high
60695Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
50069Apache 2.0.x < 2.0.64 Multiple VulnerabilitiesNessusWeb Servers
high
49826SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6572)NessusSuSE Local Security Checks
high
47168Fedora 11 : httpd-2.2.14-1.fc11 (2009-12747)NessusFedora Local Security Checks
high
5489Mac OS X < 10.6.3 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
45373Mac OS X Multiple Vulnerabilities (Security Update 2010-002)NessusMacOS X Local Security Checks
critical
45372Mac OS X 10.6.x < 10.6.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
44799Debian DSA-1934-1 : apache2 - multiple issuesNessusDebian Local Security Checks
high
44120Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-024-01)NessusSlackware Local Security Checks
high
43329Fedora 12 : httpd-2.2.14-1.fc12 (2009-12606)NessusFedora Local Security Checks
high
43090Fedora 10 : httpd-2.2.14-1.fc10 (2009-12604)NessusFedora Local Security Checks
high
43042Mandriva Linux Security Advisory : apache (MDVSA-2009:323)NessusMandriva Local Security Checks
high
42858Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : apache2 vulnerabilities (USN-860-1)NessusUbuntu Local Security Checks
high
42470RHEL 4 : httpd (RHSA-2009:1580)NessusRed Hat Local Security Checks
high
42469RHEL 3 / 5 : httpd (RHSA-2009:1579)NessusRed Hat Local Security Checks
high
42319openSUSE 10 Security Update : apache2 (apache2-6576)NessusSuSE Local Security Checks
high
42253SuSE 10 Security Update : Apache 2 (ZYPP Patch Number 6571)NessusSuSE Local Security Checks
high
42252SuSE 11 Security Update : Apache 2 (SAT Patch Number 1417)NessusSuSE Local Security Checks
high
42248openSUSE Security Update : apache2 (apache2-1419)NessusSuSE Local Security Checks
high
42245openSUSE Security Update : apache2 (apache2-1419)NessusSuSE Local Security Checks
high
42243SuSE9 Security Update : Apache 2 (YOU Patch Number 12526)NessusSuSE Local Security Checks
high
42052Apache 2.2.x < 2.2.14 Multiple VulnerabilitiesNessusWeb Servers
high
800574Apache < 2.2.14 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
high
5196Apache < 2.2.14 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
41049Mandriva Linux Security Advisory : apache (MDVSA-2009:240)NessusMandriva Local Security Checks
high