mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
http://www.apache.org/dist/httpd/Announcement2.2.html
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log
http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html
http://rhn.redhat.com/errata/RHSA-2013-1156.html
http://www.ubuntu.com/usn/USN-1903-1
http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.html
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1896
http://rhn.redhat.com/errata/RHSA-2013-1209.html
http://rhn.redhat.com/errata/RHSA-2013-1207.html
http://rhn.redhat.com/errata/RHSA-2013-1208.html
http://secunia.com/advisories/55032
http://support.apple.com/kb/HT6150
https://httpd.apache.org/security/vulnerabilities_24.html
http://www.securityfocus.com/bid/61129
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19747
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18835
Source: MITRE
Published: 2013-07-10
Updated: 2023-02-13
Type: NVD-CWE-noinfo
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM