CVE-2012-3502

MEDIUM

Description

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client.

References

http://httpd.apache.org/security/vulnerabilities_24.html

http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%[email protected]%3E

http://www.apache.org/dist/httpd/CHANGES_2.4.3

http://www.securityfocus.com/bid/55131

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2012-08-22

Updated: 2013-04-19

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM