CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
97.5%
Package : apache2
Version : 2.2.22-13+deb7u10
CVE ID : CVE-2017-9788
Debian Bug : #868467
Robert Święcki discovered that the value placeholder in [Proxy-]Authorization
Digest headers were not initialized or reset before or between successive
key=value assignments in Apache 2's mod_auth_digest module
Providing an initial key with no '=' assignment could reflect the stale value
of uninitialized pool memory used by the prior request leading to leakage of
potentially confidential information and a segfault.
For Debian 7 "Wheezy", this issue has been fixed in apache2 version
2.2.22-13+deb7u10.
We recommend that you upgrade your apache2 packages.
Regards,
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 8 | mips | apache2-utils | < 2.4.10-10+deb8u10 | apache2-utils_2.4.10-10+deb8u10_mips.deb |
Debian | 9 | amd64 | apache2-dbg | < 2.4.25-3+deb9u2 | apache2-dbg_2.4.25-3+deb9u2_amd64.deb |
Debian | 8 | arm64 | apache2-dev | < 2.4.10-10+deb8u10 | apache2-dev_2.4.10-10+deb8u10_arm64.deb |
Debian | 9 | i386 | apache2-suexec-pristine | < 2.4.25-3+deb9u2 | apache2-suexec-pristine_2.4.25-3+deb9u2_i386.deb |
Debian | 8 | arm64 | apache2-suexec-pristine | < 2.4.10-10+deb8u10 | apache2-suexec-pristine_2.4.10-10+deb8u10_arm64.deb |
Debian | 9 | arm64 | apache2-ssl-dev | < 2.4.25-3+deb9u2 | apache2-ssl-dev_2.4.25-3+deb9u2_arm64.deb |
Debian | 8 | amd64 | apache2-mpm-event | < 2.4.10-10+deb8u10 | apache2-mpm-event_2.4.10-10+deb8u10_amd64.deb |
Debian | 8 | kfreebsd-amd64 | apache2-dbg | < 2.4.10-10+deb8u10 | apache2-dbg_2.4.10-10+deb8u10_kfreebsd-amd64.deb |
Debian | 8 | s390x | apache2-utils | < 2.4.10-10+deb8u10 | apache2-utils_2.4.10-10+deb8u10_s390x.deb |
Debian | 7 | i386 | apache2-dbg | < 2.2.22-13+deb7u10 | apache2-dbg_2.2.22-13+deb7u10_i386.deb |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
97.5%