CVE-2018-1301 — MEDIUM (5.9)

Q: How severe is CVE-2018-1301?

CVE-2018-1301 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1301?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store.

Vulnerability Description

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	<= 2.4.29
Debian	Debian Linux	7.0
Canonical	Ubuntu Linux	12.04
Netapp	Santricity Cloud Connector	-
Netapp	Storage Automation Store	-
Netapp	Storagegrid	-
Netapp	Clustered Data Ontap	-
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-119

References

http://www.openwall.com/lists/oss-security/2018/03/24/2Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/103515Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040573Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3558Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d9784
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa

FAQ

What is CVE-2018-1301?

CVE-2018-1301 is a vulnerability with a CVSS score of 5.9 (MEDIUM). A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerabilit...

How severe is CVE-2018-1301?

CVE-2018-1301 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1301?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store.