Vulnerability Description
mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.2.9 |
| Unix | Unix | All versions |
Related Weaknesses (CWE)
References
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.openwall.com/lists/oss-security/2010/07/30/1
- http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
- http://www.redhat.com/support/errata/RHSA-2010-0659.html
- http://www.securityfocus.com/bid/42102
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60883
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f74
- https://lists.apache.org/thread.html/r064df0985779b7ee044d3120d71ba59750427cf53f
- https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13
- https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76f
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d65
- https://lists.apache.org/thread.html/r688df6f16f141e966a0a47f817e559312b3da27886
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7
FAQ
What is CVE-2010-2791?
CVE-2010-2791 is a vulnerability with a CVSS score of 5.0 (MEDIUM). mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remot...
How severe is CVE-2010-2791?
CVE-2010-2791 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-2791?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Unix Unix.