CVE-2010-2791

MEDIUM

Description

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.

References

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

http://www.openwall.com/lists/oss-security/2010/07/30/1

http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

http://www.redhat.com/support/errata/RHSA-2010-0659.html

http://www.securityfocus.com/bid/42102

https://exchange.xforce.ibmcloud.com/vulnerabilities/60883

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2010-08-05

Updated: 2017-08-17

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM