Permissions, Privileges, and Access Controls in apache2 (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-0053 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
apache2 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32827
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2012-0053
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
MitigationInstall update from vendor's website.
Vulnerable software versionsapache2 (Alpine package): 2.2.20-r0 - 2.2.21-r3
External linkshttp://git.alpinelinux.org/aports/commit/?id=eb6bfe8b9093524e7eeeb50630c0dd0921880764
http://git.alpinelinux.org/aports/commit/?id=271ab41139ec89734cef1524dfc916f489708e9f
http://git.alpinelinux.org/aports/commit/?id=400a302e8bca4ad2bbef3bb38737680ef8fb53cd
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
