Vulnerability Description
Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.2.3 |
Related Weaknesses (CWE)
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511Vendor Advisory
- http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2Vendor Advisory
- http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2
- http://osvdb.org/38639
- http://www.securityfocus.com/bid/23438
- http://www.securitytracker.com/id?1017904
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33584
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=511Vendor Advisory
- http://marc.info/?l=apache-httpd-dev&m=117511568709063&w=2Vendor Advisory
- http://marc.info/?l=apache-httpd-dev&m=117511834512138&w=2
- http://osvdb.org/38639
- http://www.securityfocus.com/bid/23438
- http://www.securitytracker.com/id?1017904
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33584
FAQ
What is CVE-2007-1741?
CVE-2007-1741 is a vulnerability with a CVSS score of 6.2 (MEDIUM). Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renami...
How severe is CVE-2007-1741?
CVE-2007-1741 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-1741?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.