Apache mod_proxy_http May Return Results for a Different Request
|
|
SecurityTracker Alert ID: 1024096 |
|
SecurityTracker URL: http://securitytracker.com/id/1024096
|
|
CVE Reference:
CVE-2010-2068
(Links to External Site)
|
Date: Jun 14 2010
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.3.4-alpha, 2.3.5-alpha
|
Description:
A vulnerability was reported in Apache mod_proxy_http. A remote user may obtain the results for a different request.
Under certain timeout conditions, the server may return a response intended for another user.
Only Windows, Netware, and OS2 operating systems are affected.
Configurations that trigger the use of proxy worker pools are affected.
Loren Anderson reported this vulnerability.
|
Impact:
A remote user may obtain the results for a different request for a different user.
|
Solution:
The vendor has issued a fix (2.2.16-dev).
The vendor's advisory is available at:
http://httpd.apache.org/security/vulnerabilities_22.html
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 14 Jun 2010 15:50:59 +0000
Subject: Apache httpd
|
http://httpd.apache.org/security/vulnerabilities_22.html
important: Timeout detection flaw (mod_proxy_http) CVE-2010-2068
|
|
