Main Vulnerability Database Vulnerabilities #VU7517

#VU7517 Information disclosure in Apache HTTP Server - CVE-2017-9788

Published: July 13, 2017 / Updated: July 14, 2017

Vulnerability identifier: #VU7517

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-9788

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache HTTP Server

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the targeted system.

The weakness exists due to improper initialization of the value placeholder in [Proxy-]Authorization headers of type 'Digest' before or between successive key=value assignments by mod_auth_digest. A remote attacker can provide an initial key with no '=' assignment to cause the stale value of uninitialized pool memory used by the prior request to leak.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Update Apache HTTP server to version 2.2.34 or 2.4.26.

External links

https://httpd.apache.org/security/vulnerabilities_22.html

#VU7517 Information disclosure in Apache HTTP Server - CVE-2017-9788

Description

Remediation

External links

Please verify you're human