This script is Copyright (C) 2017 Tenable Network Security, Inc.
The remote web server is affected by multiple vulnerabilities.
According to its banner, the version of Apache running on the remote
host is 2.4.x prior to 2.4.27. It is, therefore, affected by the
following vulnerabilities :
- A denial of service vulnerability exists in httpd due to
a failure to initialize or reset the value placeholder
in [Proxy-]Authorization headers of type 'Digest' before
or between successive key=value assignments by
mod_auth_digest. An unauthenticated, remote attacker can
exploit this, by providing an initial key with no '='
assignment, to disclose sensitive information or cause a
denial of service condition. (CVE-2017-9788)
- A read-after-free error exists in httpd that is
triggered when closing a large number of connections. An
unauthenticated, remote attacker can exploit this to
have an unspecified impact. (CVE-2017-9789)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
See also :
Upgrade to Apache version 2.4.27 or later.
Risk factor :
High / CVSS Base Score : 8.5
CVSS Temporal Score : 6.3
Public Exploit Available : false