Vulnerability Description
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.2.0, < 2.2.25 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Enterprise Linux | 5.0 |
| Redhat | Enterprise Linux Desktop | 5.0 |
| Redhat | Enterprise Linux Eus | 5.9 |
| Redhat | Enterprise Linux Server | 5.0 |
| Redhat | Enterprise Linux Server Aus | 5.9 |
| Redhat | Enterprise Linux Workstation | 5.0 |
| Canonical | Ubuntu Linux | 10.04 |
| Opensuse | Opensuse | 11.4 |
References
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.htmlMailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1156.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1207.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1208.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1209.htmlThird Party Advisory
- http://secunia.com/advisories/55032Not Applicable
- http://support.apple.com/kb/HT6150Third Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=148ExploitPatchVendor Advisory
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=lVendor Advisory
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1896Broken Link
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047Third Party Advisory
- http://www.apache.org/dist/httpd/Announcement2.2.htmlVendor Advisory
- http://www.securityfocus.com/bid/61129Third Party AdvisoryVDB Entry
FAQ
What is CVE-2013-1896?
CVE-2013-1896 is a vulnerability with a CVSS score of 4.3 (MEDIUM). mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a ME...
How severe is CVE-2013-1896?
CVE-2013-1896 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-1896?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus.