Apache 2.4.x < 2.4.12 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.

Synopsis :

The remote web server is affected by multiple vulnerabilities.

Description :

According to its banner, the version of Apache 2.4.x running on the
remote host is prior to 2.4.12. It is, therefore, affected by the
following vulnerabilities :

- A flaw exists in module mod_headers that can allow HTTP
trailers to replace HTTP headers late during request
processing, which a remote attacker can exploit to
inject arbitrary headers. This can also cause some
modules to function incorrectly or appear to function
incorrectly. (CVE-2013-5704)

- A NULL pointer dereference flaw exists in module
mod_cache. A remote attacker, using an empty HTTP
Content-Type header, can exploit this vulnerability to
crash a caching forward proxy configuration, resulting
in a denial of service if using a threaded MPM.

- A out-of-bounds memory read flaw exists in module
mod_proxy_fcgi. An attacker, using a remote FastCGI
server to send long response headers, can exploit this
vulnerability to cause a denial of service by causing
a buffer over-read. (CVE-2014-3583)

- A flaw exists in module mod_lua when handling a
LuaAuthzProvider used in multiple Require directives
with different arguments. An attacker can exploit this
vulnerability to bypass intended access restrictions.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :


Solution :

Upgrade to Apache version 2.4.12 or later. Alternatively, ensure that
the affected modules are not in use.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.1
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 81126 ()

Bugtraq ID: 66550

CVE ID: CVE-2013-5704

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now