CVE-2011-1928

Name of the Vulnerable Software and Affected Versions Apache Portable Runtime (APR) library versions 1.4.3 through 1.4.4 Apache HTTP Server version 2.2.18

Description The issue allows remote attackers to cause a denial of service, resulting in an infinite loop, via a URI that does not match certain types of wildcard patterns. This can be demonstrated by attacks against mod autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

Recommendations For Apache Portable Runtime (APR) library versions 1.4.3 and 1.4.4, consider updating to a version that includes a correct fix for the issue. For Apache HTTP Server version 2.2.18, consider updating to a version that includes a correct fix for the issue. As a temporary workaround, consider restricting access to the mod autoindex module in httpd to minimize the risk of exploitation.