CVE-2017-9798

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.2.0 through 2.2.34 Apache HTTP Server versions 2.4.0 through 2.4.27

Description The issue allows remote attackers to read secret data from process memory under certain conditions, such as when the Limit directive can be set in a user's .htaccess file or if httpd.conf has specific misconfigurations. Attackers send an unauthenticated OPTIONS HTTP request to attempt to read secret data. This is a use-after-free issue, meaning secret data is not always sent, and the specific data depends on various factors including configuration.

Recommendations For Apache HTTP Server versions 2.2.0 through 2.2.34, apply a patch to the ap limit section function in server/core.c to block exploitation with .htaccess. For Apache HTTP Server versions 2.4.0 through 2.4.27, apply a patch to the ap limit section function in server/core.c to block exploitation with .htaccess. At the moment, there is no information about a newer version that contains a fix for this vulnerability.