CVE-2014-3583

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.

References

http://httpd.apache.org/security/vulnerabilities_24.html

https://bugzilla.redhat.com/show_bug.cgi?id=1163555

http://svn.apache.org/viewvc?view=revision&revision=1638818

http://www.securityfocus.com/bid/71657

http://www.ubuntu.com/usn/USN-2523-1

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

https://support.apple.com/kb/HT205031

http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html

https://support.apple.com/HT205219

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://rhn.redhat.com/errata/RHSA-2015-1855.html

https://security.gentoo.org/glsa/201701-36

https://access.redhat.com/errata/RHSA-2015:1858

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/ra7f6aeb28661fbf826969526585f16856[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2014-12-15

Updated: 2021-06-06

Type: CWE-119

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
98907Apache 2.4.x < 2.4.12 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
96516GLSA-201701-36 : Apache: Multiple vulnerabilities (httpoxy)NessusGentoo Local Security Checks
high
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
86242RHEL 6 : mod_proxy_fcgi (RHSA-2015:1855)NessusRed Hat Local Security Checks
medium
86066Mac OS X : OS X Server < 5.0.3 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
85409Mac OS X Multiple Vulnerabilities (Security Update 2015-006)NessusMacOS X Local Security Checks
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
82916Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : httpd (SSA:2015-111-03)NessusSlackware Local Security Checks
medium
81837Fedora 21 : httpd-2.4.10-15.fc21 (2014-17195)NessusFedora Local Security Checks
medium
81755Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : apache2 vulnerabilities (USN-2523-1)NessusUbuntu Local Security Checks
medium
81581Fedora 20 : httpd-2.4.10-2.fc20 (2014-17153)NessusFedora Local Security Checks
medium
8938Apache HTTP Server 2.4.10 FastCGI DoSNessus Network MonitorWeb Servers
medium
81329Amazon Linux AMI : httpd24 (ALAS-2015-483)NessusAmazon Linux Local Security Checks
medium
81126Apache 2.4.x < 2.4.12 Multiple VulnerabilitiesNessusWeb Servers
medium
81116FreeBSD : apache24 -- several vulnerabilities (5804b9d4-a959-11e4-9363-20cf30e32f6d)NessusFreeBSD Local Security Checks
medium