Detections
Analytics
Apache 2.4.x < 2.4.6 Multiple Vulnerabilities
critical Web App Scanning Plugin ID 98903
Language:
Synopsis
Apache 2.4.x < 2.4.6 Multiple VulnerabilitiesDescription
According to its banner, the version of Apache 2.4.x running on the remote host is prior to 2.4.6. It is, therefore, potentially affected by the following vulnerabilities :- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests. (CVE-2013-1896)
- An error exists related to the 'mod_session_dbd' module, flags and session-saving having an unspecified impact. (CVE-2013-2249)
Note that the scanner did not actually test for these issues, but instead has relied on the version in the server's banner.
Solution
Upgrade to Apache version 2.4.6 or later. Alternatively, ensure that the affected modules are not in use.See Also
https://archive.apache.org/dist/httpd/CHANGES_2.4.6
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.6
Plugin Details
Severity: Critical
ID: 98903
Type: remote
Family: Component Vulnerability
Published: 1/9/2019
Updated: 3/14/2023
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2013-2249
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2013-2249
Vulnerability Information
CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 7/10/2013
Vulnerability Publication Date: 7/10/2013
Reference Information
CVE: CVE-2013-1896, CVE-2013-2249
CWE: 264
OWASP: 2010-A8, 2013-A7, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A6
WASC: Insufficient Authorization
DISA STIG: APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1
PCI-DSS: 3.2-6.2