CVE Vulnerabilities

CVE-2011-1928

Published: May 24, 2011 | Modified: Nov 07, 2023
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
2.6 LOW
AV:N/AC:H/Au:N/C:N/I:N/A:P
RedHat/V3
Ubuntu
MEDIUM

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

Affected Software

Name Vendor Start Version End Version
Apr-util Apache 1.4.3 (including) 1.4.3 (including)
Apr-util Apache 1.4.4 (including) 1.4.4 (including)
Http_server Apache 2.2.18 (including) 2.2.18 (including)
Red Hat Enterprise Linux 4 RedHat apr-0:0.9.4-26.el4 *
Red Hat Enterprise Linux 5 RedHat apr-0:1.2.7-11.el5_6.5 *
Red Hat Enterprise Linux 6 RedHat apr-0:1.3.9-3.el6_1.2 *
Apache2 Ubuntu dapper *
Apache2 Ubuntu upstream *
Apr Ubuntu hardy *
Apr Ubuntu lucid *
Apr Ubuntu maverick *
Apr Ubuntu natty *
Apr Ubuntu upstream *

References