National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2002-0843 Detail

Description

Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.

Source:  MITRE      Last Modified:  10/11/2002

Quick Info

CVE Dictionary Entry:
CVE-2002-0843
Original release date:
10/11/2002
Last revised:
10/17/2016
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
7.5 HIGH
Vector:
(AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore:
6.4
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Provides user account access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Apache (07/02/2008)

Fixed in Apache HTTP Server 1.3.27: http://httpd.apache.org/security/vulnerabilities_13.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
ftp://patches.sgi.com/support/free/security/advisories/20021105-01-I External Source SGI 20021105-01-I
http://archives.neohapsis.com/archives/bugtraq/2002-10/0229.html External Source BUGTRAQ 20021016 Apache 1.3.26
http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html External Source BUGTRAQ 20021017 TSLSA-2002-0069-apache
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000530 External Source CONECTIVA CLA-2002:530
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000530 External Source CONECTIVA CLSA-2002:530
http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2 External Source CONFIRM http://marc.info/?l=apache-httpd-announce&m=103367938230488&w=2
http://marc.info/?l=bugtraq&m=103376585508776&w=2 External Source BUGTRAQ 20021003 [OpenPKG-SA-2002.009] OpenPKG Security Advisory (apache)
http://online.securityfocus.com/advisories/4617 External Source HP HPSBUX0210-224
http://www.apacheweek.com/issues/02-10-04 Vendor Advisory External Source CONFIRM http://www.apacheweek.com/issues/02-10-04
http://www.debian.org/security/2002/dsa-187 External Source DEBIAN DSA-187
http://www.debian.org/security/2002/dsa-188 External Source DEBIAN DSA-188
http://www.debian.org/security/2002/dsa-195 External Source DEBIAN DSA-195
http://www.iss.net/security_center/static/10281.php External Source XF apache-apachebench-response-bo(10281)
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-068.php External Source MANDRAKE MDKSA-2002:068
http://www.linuxsecurity.com/advisories/other_advisory-2414.html External Source ENGARDE ESA-20021007-024
http://www.securityfocus.com/bid/5887 External Source BID 5887
http://www.securityfocus.com/bid/5995 External Source BID 5995
http://www.securityfocus.com/bid/5996 External Source BID 5996
http://www.vupen.com/english/advisories/2006/3263 External Source VUPEN ADV-2006-3263
http://www-1.ibm.com/support/search.wss?rs=0&q=IY87070&apar=only External Source AIXAPAR IY87070
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2871 External Source CONFIRM http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2871

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:1.0.2.1s:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:9.0.2:r2:*:*:*:*:*:*
cpe:2.3:a:oracle:application_server:9.0.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:8.1.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database_server:9.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle8i:8.1.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle8i:8.1.7.0.0_enterprise:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle8i:8.1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oracle8i:8.1.7.1.0_enterprise:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 2 change records found - show changes