Vulnerability Description
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | 2.2.17 |
Related Weaknesses (CWE)
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://httpd.apache.org/security/vulnerabilities_22.htmlVendor Advisory
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://marc.info/?l=bugtraq&m=133294460209056&w=2
- http://marc.info/?l=bugtraq&m=133494237717847&w=2
- http://rhn.redhat.com/errata/RHSA-2012-0542.html
- http://rhn.redhat.com/errata/RHSA-2012-0543.html
- http://secunia.com/advisories/48551
- http://support.apple.com/kb/HT5501
- http://svn.apache.org/viewvc?view=revision&revision=1227292Patch
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:012
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
- https://bugzilla.redhat.com/show_bug.cgi?id=785065
- https://issues.apache.org/bugzilla/show_bug.cgi?id=52256Patch
FAQ
What is CVE-2012-0021?
CVE-2012-0021 is a vulnerability with a CVSS score of 2.6 (LOW). The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, wh...
How severe is CVE-2012-0021?
CVE-2012-0021 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-0021?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.