MEDIUM
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.
http://article.gmane.org/gmane.comp.apache.devel/48158
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00009.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00012.html
http://marc.info/?l=bugtraq&m=134012830914727&w=2
http://secunia.com/advisories/48849
http://support.apple.com/kb/HT5880
http://svn.apache.org/viewvc?view=revision&revision=1296428
http://www.apache.org/dist/httpd/Announcement2.4.html
http://www.apachelounge.com/Changelog-2.4.html
http://www.securityfocus.com/bid/53046
http://www.securitytracker.com/id?1026932
http://www.xerox.com/download/security/security-bulletin/16287-4d6b7b0c81f7b/cert_XRX13-003_v1.0.pdf
https://exchange.xforce.ibmcloud.com/vulnerabilities/74901
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
OR
cpe:2.3:a:apache:http_server:0.8.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:0.8.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.41:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.42:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.65:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.68:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.99:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.60:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.61:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.63:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.3.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* versions up to 2.4.1 (inclusive)
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 98900 | Apache 2.4.x < 2.4.2 'LD_LIBRARY_PATH' Insecure Library Loading | Web Application Scanning | Component Vulnerability | medium |
| 83578 | SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0469-1) | Nessus | SuSE Local Security Checks | medium |
| 83577 | SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0387-1) | Nessus | SuSE Local Security Checks | medium |
| 80583 | Oracle Solaris Third-Party Patch Update : apache (multiple_vulnerabilities_in_apache_http2) | Nessus | Solaris Local Security Checks | medium |
| 75181 | openSUSE Security Update : apache2 (openSUSE-SU-2013:0243-1) | Nessus | SuSE Local Security Checks | medium |
| 8008 | Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004) | Nessus Network Monitor | Web Clients | critical |
| 69878 | Mac OS X Multiple Vulnerabilities (Security Update 2013-004) | Nessus | MacOS X Local Security Checks | critical |
| 69877 | Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
| 69020 | HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities (BEAST) | Nessus | Web Servers | high |
| 65025 | SuSE 10 Security Update : apache2 (ZYPP Patch Number 8443) | Nessus | SuSE Local Security Checks | medium |
| 65023 | SuSE 11.2 Security Update : Apache (SAT Patch Number 7409) | Nessus | SuSE Local Security Checks | medium |
| 64595 | Fedora 17 : httpd-2.2.23-1.fc17 (2013-1661) | Nessus | Fedora Local Security Checks | medium |
| 62386 | Mandriva Linux Security Advisory : apache (MDVSA-2012:154-1) | Nessus | Mandriva Local Security Checks | medium |
| 6576 | Apache 2.2 < 2.2.23 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
| 62101 | Apache 2.2.x < 2.2.23 Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 61388 | FreeBSD : Apache -- Insecure LD_LIBRARY_PATH handling (de2bc01f-dc44-11e1-9f4d-002354ed89bc) | Nessus | FreeBSD Local Security Checks | medium |
| 59678 | GLSA-201206-25 : Apache HTTP Server: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
| 58795 | Apache 2.4.x < 2.4.2 'LD_LIBRARY_PATH' Insecure Library Loading | Nessus | Web Servers | medium |