CVE-2012-0053

medium

Description

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

References

http://httpd.apache.org/security/vulnerabilities_22.html

https://bugzilla.redhat.com/show_bug.cgi?id=785069

http://svn.apache.org/viewvc?view=revision&revision=1235454

http://www.securityfocus.com/bid/51706

http://rhn.redhat.com/errata/RHSA-2012-0128.html

http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

http://secunia.com/advisories/48551

http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

http://support.apple.com/kb/HT5501

http://marc.info/?l=bugtraq&m=136441204617335&w=2

http://kb.juniper.net/JSA10585

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://marc.info/?l=bugtraq&m=133494237717847&w=2

http://marc.info/?l=bugtraq&m=133951357207000&w=2

http://www.debian.org/security/2012/dsa-2405

http://rhn.redhat.com/errata/RHSA-2012-0543.html

http://rhn.redhat.com/errata/RHSA-2012-0542.html

http://marc.info/?l=bugtraq&m=133294460209056&w=2

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html

http://www.mandriva.com/security/advisories?name=MDVSA-2012:012

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2012-01-28

Updated: 2021-06-06

Type: CWE-264

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM