cvelistv5 - cve-2010-3872

CVE-2010-3872 (GCVE-0-2010-3872)

Vulnerability from cvelistv5 – Published: 2010-11-20 20:00 – Updated: 2024-08-07 03:26

Summary

A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

Assigner

redhat

References

URL

Tags

	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-…	vendor-advisoryx_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://osvdb.org/69275	vdb-entryx_refsource_OSVDB
	http://secunia.com/advisories/42288	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/42302	third-party-advisoryx_refsource_SECUNIA
	http://secunia.com/advisories/42815	third-party-advisoryx_refsource_SECUNIA
	http://www.debian.org/security/2010/dsa-2140	vendor-advisoryx_refsource_DEBIAN
	http://www.gossamer-threads.com/lists/apache/anno…	mailing-listx_refsource_MLIST
	http://www.securityfocus.com/bid/44900	vdb-entryx_refsource_BID
	http://www.vupen.com/english/advisories/2010/2997	vdb-entryx_refsource_VUPEN
	http://www.vupen.com/english/advisories/2010/2998	vdb-entryx_refsource_VUPEN
	http://www.vupen.com/english/advisories/2011/0031	vdb-entryx_refsource_VUPEN
	https://access.redhat.com/security/cve/CVE-2010-3872	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2248172	issue-trackingx_refsource_REDHAT
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	https://github.com/apache/httpd-mod_fcgid/commit/…
	https://issues.apache.org/bugzilla/show_bug.cgi?i…	x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

n/a

mod_fcgid

Unaffected: 2.3.6

Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 8	cpe:/o:redhat:enterprise_linux:8
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Fedora	Fedora

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T03:26:12.242Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "FEDORA-2010-17474",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
          },
          {
            "name": "FEDORA-2010-17434",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
          },
          {
            "name": "FEDORA-2010-17472",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
          },
          {
            "name": "openSUSE-SU-2011:0884",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
          },
          {
            "name": "SUSE-SU-2011:0885",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
          },
          {
            "name": "69275",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/69275"
          },
          {
            "name": "42288",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42288"
          },
          {
            "name": "42302",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42302"
          },
          {
            "name": "42815",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/42815"
          },
          {
            "name": "DSA-2140",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2010/dsa-2140"
          },
          {
            "name": "[apache] 20101107 [ANNOUNCE] mod_fcgid 2.3.6 is released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
          },
          {
            "name": "44900",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/44900"
          },
          {
            "name": "ADV-2010-2997",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2010/2997"
          },
          {
            "name": "ADV-2010-2998",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2010/2998"
          },
          {
            "name": "ADV-2011-0031",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/0031"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
          },
          {
            "name": "RHBZ#2248172",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
          },
          {
            "name": "apache-fcgid-bo(63303)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mod_fcgid",
          "vendor": "n/a",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.3.6"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "mod_fcgid",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "mod_fcgid",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "mod_fcgid",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://packages.fedoraproject.org/",
          "defaultStatus": "unaffected",
          "packageName": "mod_fcgid",
          "product": "Fedora",
          "vendor": "Fedora"
        }
      ],
      "datePublic": "2010-06-08T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-25T05:17:45.315Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "FEDORA-2010-17474",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
        },
        {
          "name": "FEDORA-2010-17434",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
        },
        {
          "name": "FEDORA-2010-17472",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
        },
        {
          "name": "openSUSE-SU-2011:0884",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
        },
        {
          "name": "SUSE-SU-2011:0885",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
        },
        {
          "name": "69275",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/69275"
        },
        {
          "name": "42288",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42288"
        },
        {
          "name": "42302",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42302"
        },
        {
          "name": "42815",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/42815"
        },
        {
          "name": "DSA-2140",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2010/dsa-2140"
        },
        {
          "name": "[apache] 20101107 [ANNOUNCE] mod_fcgid 2.3.6 is released",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
        },
        {
          "name": "44900",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/44900"
        },
        {
          "name": "ADV-2010-2997",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2010/2997"
        },
        {
          "name": "ADV-2010-2998",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2010/2998"
        },
        {
          "name": "ADV-2011-0031",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/0031"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
        },
        {
          "name": "RHBZ#2248172",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
        },
        {
          "name": "apache-fcgid-bo(63303)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
        },
        {
          "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-17T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2010-06-08T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Httpd: mod_fcgid: stack-based buffer overflow in fcgid_header_bucket_read() in modules/fcgid/fcgid_bucket.c",
      "x_redhatCweChain": "CWE-121: Stack-based Buffer Overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-3872",
    "datePublished": "2010-11-20T20:00:00",
    "dateReserved": "2010-10-08T00:00:00",
    "dateUpdated": "2024-08-07T03:26:12.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.3.5\", \"matchCriteriaId\": \"1F5E7028-528F-4C7C-9D8F-A43652D325F4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F6AFABE7-90C2-41F9-A01C-EA11FB12C97E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"42A39798-B60F-42FC-95C7-F79B19C9228A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"61DCEEBF-8F45-4093-BE11-C8EE33D25CC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DB100548-FA9E-4E65-9D47-D1FE492ADFFD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.\"}, {\"lang\": \"es\", \"value\": \"La funci\\u00f3n apr_status_t fcgid_header_bucket_read en fcgid_bucket.c en Apache mod_fcgid anterior a v2.3.6 no utiliza punteros aritm\\u00e9ticos bytewise en ciertas ciscunstancias,  lo que provoca un impacto desconocido y vectores de ataque relacionados con \\\"untrusted FastCGI applications\\\" y un \\\"stack buffer overwrite\\\".\"}]",
      "id": "CVE-2010-3872",
      "lastModified": "2024-11-21T01:19:47.837",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 7.2, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 3.9, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2010-11-22T12:54:10.300",
      "references": "[{\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://osvdb.org/69275\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/42288\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/42302\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/42815\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.debian.org/security/2010/dsa-2140\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.gossamer-threads.com/lists/apache/announce/391406\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/44900\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2997\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2998\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/0031\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2010-3872\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2248172\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/63303\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://issues.apache.org/bugzilla/show_bug.cgi?id=49406\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://osvdb.org/69275\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/42288\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/42302\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/42815\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2010/dsa-2140\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.gossamer-threads.com/lists/apache/announce/391406\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/44900\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2997\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2010/2998\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/0031\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2010-3872\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2248172\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/63303\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://issues.apache.org/bugzilla/show_bug.cgi?id=49406\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-189\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2010-3872\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2010-11-22T12:54:10.300\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n apr_status_t fcgid_header_bucket_read en fcgid_bucket.c en Apache mod_fcgid anterior a v2.3.6 no utiliza punteros aritm\u00e9ticos bytewise en ciertas ciscunstancias,  lo que provoca un impacto desconocido y vectores de ataque relacionados con \\\"untrusted FastCGI applications\\\" y un \\\"stack buffer overwrite\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-189\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3.5\",\"matchCriteriaId\":\"1F5E7028-528F-4C7C-9D8F-A43652D325F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6AFABE7-90C2-41F9-A01C-EA11FB12C97E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42A39798-B60F-42FC-95C7-F79B19C9228A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61DCEEBF-8F45-4093-BE11-C8EE33D25CC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB100548-FA9E-4E65-9D47-D1FE492ADFFD\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://osvdb.org/69275\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/42288\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/42302\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/42815\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2010/dsa-2140\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.gossamer-threads.com/lists/apache/announce/391406\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/44900\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vupen.com/english/advisories/2010/2997\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2010/2998\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0031\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2010-3872\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2248172\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/63303\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://issues.apache.org/bugzilla/show_bug.cgi?id=49406\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://osvdb.org/69275\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/42288\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/42302\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/42815\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2010/dsa-2140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.gossamer-threads.com/lists/apache/announce/391406\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/44900\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2010/2997\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2010/2998\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0031\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2010-3872\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2248172\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/63303\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://issues.apache.org/bugzilla/show_bug.cgi?id=49406\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}

OPENSUSE-SU-2024:10564-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

apache2-mod_fcgid-2.3.9-7.3 on GA media

Notes

Title of the patch

apache2-mod_fcgid-2.3.9-7.3 on GA media

Description of the patch

These are all security issues fixed in the apache2-mod_fcgid-2.3.9-7.3 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-10564

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "apache2-mod_fcgid-2.3.9-7.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the apache2-mod_fcgid-2.3.9-7.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-10564",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10564-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2010-3872 page",
        "url": "https://www.suse.com/security/cve/CVE-2010-3872/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-4365 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-4365/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2016-1000104 page",
        "url": "https://www.suse.com/security/cve/CVE-2016-1000104/"
      }
    ],
    "title": "apache2-mod_fcgid-2.3.9-7.3 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:10564-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_fcgid-2.3.9-7.3.aarch64",
                "product": {
                  "name": "apache2-mod_fcgid-2.3.9-7.3.aarch64",
                  "product_id": "apache2-mod_fcgid-2.3.9-7.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_fcgid-2.3.9-7.3.ppc64le",
                "product": {
                  "name": "apache2-mod_fcgid-2.3.9-7.3.ppc64le",
                  "product_id": "apache2-mod_fcgid-2.3.9-7.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_fcgid-2.3.9-7.3.s390x",
                "product": {
                  "name": "apache2-mod_fcgid-2.3.9-7.3.s390x",
                  "product_id": "apache2-mod_fcgid-2.3.9-7.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_fcgid-2.3.9-7.3.x86_64",
                "product": {
                  "name": "apache2-mod_fcgid-2.3.9-7.3.x86_64",
                  "product_id": "apache2-mod_fcgid-2.3.9-7.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_fcgid-2.3.9-7.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64"
        },
        "product_reference": "apache2-mod_fcgid-2.3.9-7.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_fcgid-2.3.9-7.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le"
        },
        "product_reference": "apache2-mod_fcgid-2.3.9-7.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_fcgid-2.3.9-7.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x"
        },
        "product_reference": "apache2-mod_fcgid-2.3.9-7.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_fcgid-2.3.9-7.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
        },
        "product_reference": "apache2-mod_fcgid-2.3.9-7.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2010-3872",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2010-3872"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2010-3872",
          "url": "https://www.suse.com/security/cve/CVE-2010-3872"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 656092 for CVE-2010-3872",
          "url": "https://bugzilla.suse.com/656092"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2010-3872"
    },
    {
      "cve": "CVE-2013-4365",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-4365"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-4365",
          "url": "https://www.suse.com/security/cve/CVE-2013-4365"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 844935 for CVE-2013-4365",
          "url": "https://bugzilla.suse.com/844935"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-4365"
    },
    {
      "cve": "CVE-2016-1000104",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2016-1000104"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
          "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2016-1000104",
          "url": "https://www.suse.com/security/cve/CVE-2016-1000104"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988486 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988486"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988487 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988487"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988488 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988488"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988489 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988489"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988491 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988491"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 988492 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/988492"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 989174 for CVE-2016-1000104",
          "url": "https://bugzilla.suse.com/989174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.aarch64",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.ppc64le",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.s390x",
            "openSUSE Tumbleweed:apache2-mod_fcgid-2.3.9-7.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2016-1000104"
    }
  ]
}

GSD-2010-3872

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2010-3872

Aliases

CVE-2010-3872

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2010-3872",
    "description": "The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to \"untrusted FastCGI applications\" and a \"stack buffer overwrite.\"",
    "id": "GSD-2010-3872",
    "references": [
      "https://www.suse.com/security/cve/CVE-2010-3872.html",
      "https://www.debian.org/security/2011/dsa-2140"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2010-3872"
      ],
      "details": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.",
      "id": "GSD-2010-3872",
      "modified": "2023-12-13T01:21:34.455997Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2010-3872",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "mod_fcgid",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "versions": [
                              {
                                "status": "unaffected",
                                "version": "2.3.6"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Red Hat Enterprise Linux 7",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected"
                          }
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Red Hat Enterprise Linux 8",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected"
                          }
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Red Hat Enterprise Linux 9",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Red Hat"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Fedora",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected"
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Fedora"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-121",
                "lang": "eng",
                "value": "Stack-based Buffer Overflow"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html",
            "refsource": "MISC",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
          },
          {
            "name": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html",
            "refsource": "MISC",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
          },
          {
            "name": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html",
            "refsource": "MISC",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
          },
          {
            "name": "http://osvdb.org/69275",
            "refsource": "MISC",
            "url": "http://osvdb.org/69275"
          },
          {
            "name": "http://secunia.com/advisories/42288",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/42288"
          },
          {
            "name": "http://secunia.com/advisories/42302",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/42302"
          },
          {
            "name": "http://secunia.com/advisories/42815",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/42815"
          },
          {
            "name": "http://www.debian.org/security/2010/dsa-2140",
            "refsource": "MISC",
            "url": "http://www.debian.org/security/2010/dsa-2140"
          },
          {
            "name": "http://www.gossamer-threads.com/lists/apache/announce/391406",
            "refsource": "MISC",
            "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
          },
          {
            "name": "http://www.securityfocus.com/bid/44900",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/44900"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2010/2997",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2010/2997"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2010/2998",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2010/2998"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2011/0031",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2011/0031"
          },
          {
            "name": "https://access.redhat.com/security/cve/CVE-2010-3872",
            "refsource": "MISC",
            "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
          },
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
          },
          {
            "name": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2",
            "refsource": "MISC",
            "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
          },
          {
            "name": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406",
            "refsource": "MISC",
            "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.3.5",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2010-3872"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-189"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "FEDORA-2010-17474",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
            },
            {
              "name": "FEDORA-2010-17472",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
            },
            {
              "name": "FEDORA-2010-17434",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
            },
            {
              "name": "ADV-2010-2998",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2010/2998"
            },
            {
              "name": "42288",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/42288"
            },
            {
              "name": "42302",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/42302"
            },
            {
              "name": "ADV-2010-2997",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2010/2997"
            },
            {
              "name": "69275",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://osvdb.org/69275"
            },
            {
              "name": "[apache] 20101107 [ANNOUNCE] mod_fcgid 2.3.6 is released",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
            },
            {
              "name": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
            },
            {
              "name": "42815",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/42815"
            },
            {
              "name": "ADV-2011-0031",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2011/0031"
            },
            {
              "name": "44900",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/44900"
            },
            {
              "name": "DSA-2140",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2010/dsa-2140"
            },
            {
              "name": "openSUSE-SU-2011:0884",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
            },
            {
              "name": "SUSE-SU-2011:0885",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
            },
            {
              "name": "apache-fcgid-bo(63303)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172",
              "refsource": "MISC",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
            },
            {
              "name": "https://access.redhat.com/security/cve/CVE-2010-3872",
              "refsource": "MISC",
              "tags": [],
              "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
            },
            {
              "name": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2",
              "refsource": "",
              "tags": [],
              "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-11-07T20:15Z",
      "publishedDate": "2010-11-22T12:54Z"
    }
  }
}

FKIE_CVE-2010-3872

Vulnerability from fkie_nvd - Published: 2010-11-22 12:54 - Updated: 2025-04-11 00:51

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html
secalert@redhat.com	http://osvdb.org/69275
secalert@redhat.com	http://secunia.com/advisories/42288	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/42302	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/42815
secalert@redhat.com	http://www.debian.org/security/2010/dsa-2140
secalert@redhat.com	http://www.gossamer-threads.com/lists/apache/announce/391406
secalert@redhat.com	http://www.securityfocus.com/bid/44900
secalert@redhat.com	http://www.vupen.com/english/advisories/2010/2997	Vendor Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2010/2998	Vendor Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2011/0031
secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2010-3872
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2248172
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/63303
secalert@redhat.com	https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2
secalert@redhat.com	https://issues.apache.org/bugzilla/show_bug.cgi?id=49406	Patch
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/69275
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/42288	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/42302	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/42815
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2010/dsa-2140
af854a3a-2127-422b-91ae-364da2661108	http://www.gossamer-threads.com/lists/apache/announce/391406
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/44900
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2010/2997	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2010/2998	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2011/0031
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/security/cve/CVE-2010-3872
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=2248172
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/63303
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2
af854a3a-2127-422b-91ae-364da2661108	https://issues.apache.org/bugzilla/show_bug.cgi?id=49406	Patch

Impacted products

Vendor	Product	Version
apache	mod_fcgid	*
apache	mod_fcgid	2.3.1
apache	mod_fcgid	2.3.2
apache	mod_fcgid	2.3.3
apache	mod_fcgid	2.3.4

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F5E7028-528F-4C7C-9D8F-A43652D325F4",
              "versionEndIncluding": "2.3.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6AFABE7-90C2-41F9-A01C-EA11FB12C97E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "42A39798-B60F-42FC-95C7-F79B19C9228A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "61DCEEBF-8F45-4093-BE11-C8EE33D25CC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB100548-FA9E-4E65-9D47-D1FE492ADFFD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n apr_status_t fcgid_header_bucket_read en fcgid_bucket.c en Apache mod_fcgid anterior a v2.3.6 no utiliza punteros aritm\u00e9ticos bytewise en ciertas ciscunstancias,  lo que provoca un impacto desconocido y vectores de ataque relacionados con \"untrusted FastCGI applications\" y un \"stack buffer overwrite\"."
    }
  ],
  "id": "CVE-2010-3872",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2010-11-22T12:54:10.300",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://osvdb.org/69275"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42288"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42302"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://secunia.com/advisories/42815"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2010/dsa-2140"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/44900"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2997"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2998"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.vupen.com/english/advisories/2011/0031"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/69275"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42288"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/42302"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/42815"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2010/dsa-2140"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/44900"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2997"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2010/2998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2011/0031"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-121"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-189"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-FF73-846Q-P888

Vulnerability from github – Published: 2022-05-17 02:04 – Updated: 2023-11-06 18:30

Details

The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite."

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2010-3872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-11-22T12:54:00Z",
    "severity": "HIGH"
  },
  "details": "The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to \"untrusted FastCGI applications\" and a \"stack buffer overwrite.\"",
  "id": "GHSA-ff73-846q-p888",
  "modified": "2023-11-06T18:30:16Z",
  "published": "2022-05-17T02:04:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3872"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2010-3872"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248172"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/63303"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=49406"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/69275"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42288"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42302"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42815"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2140"
    },
    {
      "type": "WEB",
      "url": "http://www.gossamer-threads.com/lists/apache/announce/391406"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/44900"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/2997"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/2998"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0031"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2010-3872 (GCVE-0-2010-3872)

OPENSUSE-SU-2024:10564-1

GSD-2010-3872

FKIE_CVE-2010-3872

GHSA-FF73-846Q-P888

Tags

Sightings

Nomenclature