PT-2009-4412 · Apache+1 · Apr-Util+2

Published

2009-04-24

Updated

2024-06-15

CVE-2009-1956

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

Name of the Vulnerable Software and Affected Versions: Apache APR-util versions prior to 1.3.5

Description: The issue is related to an off-by-one error in the apr brigade vprintf function on big-endian platforms. This error allows remote attackers to obtain sensitive information or cause a denial of service, resulting in an application crash, via crafted input. The flaw is due to the way the APR-util library processes a variable list of arguments, potentially leading to the disclosure of sensitive information or a denial of service.

Recommendations: For Apache APR-util versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting input to the apr brigade vprintf function to minimize the risk of exploitation.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189

Related Identifiers

CVE-2009-1956

HPSBUX02612

OPENSUSE-SU-2024:10268-1

RHSA-2009:1107

RHSA-2009:1108

RHSA-2009_1107

RHSA-2010:0602

Affected Products

Apr-Util

Apache Http Server

Red Hat

PT-2009-4412 · Apache+1 · Apr-Util+2

CVE-2009-1956

Weakness Enumeration

Related Identifiers

Affected Products

References · 128