CVE-2012-0840

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

References

http://mail-archives.apache.org/mod_mbox/apr-commits/201201.mbox/%[email protected]%3E

http://openwall.com/lists/oss-security/2012/02/08/3

http://openwall.com/lists/oss-security/2012/02/09/1

http://secunia.com/advisories/47862

http://svn.apache.org/viewvc?rev=1231605&view=rev

http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html

http://www.mail-archive.com/dev%40apr.apache.org/msg24472.html

http://www.mail-archive.com/dev%40apr.apache.org/msg24473.html

http://www.mandriva.com/security/advisories?name=MDVSA-2012:019

https://exchange.xforce.ibmcloud.com/vulnerabilities/73096

Details

Source: MITRE

Published: 2012-02-10

Updated: 2017-12-05

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:portable_runtime:0.9.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.2-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.3-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.7-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:0.9.16-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.4-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.6-dev:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.3.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:* versions up to 1.4.5 (inclusive)

Tenable Plugins

View all (4 total)

IDNameProductFamilySeverity
74066GLSA-201405-24 : Apache Portable Runtime, APR Utility Library: Denial of ServiceNessusGentoo Local Security Checks
medium
58188Fedora 16 : apr-1.4.6-1.fc16 (2012-1709)NessusFedora Local Security Checks
medium
58187Fedora 15 : apr-1.4.6-1.fc15 (2012-1656)NessusFedora Local Security Checks
medium
57955Mandriva Linux Security Advisory : apr (MDVSA-2012:019)NessusMandriva Local Security Checks
medium