Vulnerability identifier: #VU7517
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
Vendor: Apache Foundation
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the targeted system.
The weakness exists due to improper initialization of the value placeholder in [Proxy-]Authorization headers of type 'Digest' before or between successive key=value assignments by mod_auth_digest. A remote attacker can provide an initial key with no '=' assignment to cause the stale value of uninitialized pool memory used by the prior request to leak.
Successful exploitation of the vulnerability results in information disclosure.
Update Apache HTTP server to version 2.2.34 or 2.4.26.
Vulnerable software versions
Apache HTTP Server: 2.2.0 - 2.4.25
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?