CVE-2009-1191 - mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers

CVE-2009-1191

Summary

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 13-02-2023 - 02:19)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

oval via4

accepted

2014-07-14T04:01:28.881-04:00

class

vulnerability

contributors

name J. Daniel Brown
organization DTCC
name Mike Lah
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment	Apache HTTP Server 2.2.x is installed on the system
oval	oval:org.mitre.oval:def:8550

description

family

windows

oval:org.mitre.oval:def:8261

status

accepted

submitted

2010-03-08T17:30:00.000-05:00

title

Apache 'mod_proxy_ajp' Information Disclosure Vulnerability

version

redhat via4

rpms

httpd-0:2.2.10-4.ep5.el5
httpd-debuginfo-0:2.2.10-4.ep5.el5
httpd-devel-0:2.2.10-4.ep5.el5
httpd-manual-0:2.2.10-4.ep5.el5
httpd22-0:2.2.10-16.1.ep5.el4
httpd22-apr-0:2.2.10-16.1.ep5.el4
httpd22-apr-devel-0:2.2.10-16.1.ep5.el4
httpd22-apr-util-0:2.2.10-16.1.ep5.el4
httpd22-apr-util-devel-0:2.2.10-16.1.ep5.el4
httpd22-debuginfo-0:2.2.10-16.1.ep5.el4
httpd22-devel-0:2.2.10-16.1.ep5.el4
mod_ssl-1:2.2.10-4.ep5.el5
mod_ssl22-1:2.2.10-16.1.ep5.el4

refmap via4

apple	APPLE-SA-2009-11-09-1
bid	34663
confirm	http://support.apple.com/kb/HT3937 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=767089 http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html https://issues.apache.org/bugzilla/show_bug.cgi?id=46949
gentoo	GLSA-200907-04
mandriva	MDVSA-2009:102 MDVSA-2013:150
mlist	[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
osvdb	53921
sectrack	1022264
secunia	34827 35395 35721
ubuntu	USN-787-1
vupen	ADV-2009-1147 ADV-2009-3184
xf	apache-modproxyajp-information-disclosure(50059)

Last major update

13-02-2023 - 02:19

Published

23-04-2009 - 17:30

Last modified

13-02-2023 - 02:19