| Vulnerability Name: | CVE-2002-0842 (CCN-11330) | ||||||||
| Assigned: | 2003-02-11 | ||||||||
| Published: | 2003-02-11 | ||||||||
| Updated: | 2016-10-18 | ||||||||
| Summary: | Format string vulnerability in certain third party modifications to mod_dav for logging bad gateway messages (e.g. Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response, which causes the format string specifiers to be returned from dav_lookup_uri() in mod_dav.c, which is then used in a call to ap_log_rerror(). | ||||||||
| CVSS v3 Severity: | 0.0 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||
| References: | Source: CCN Type: BugTraq Mailing List, Tue Feb 18 2003 - 12:44:16 CST CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability Source: CCN Type: BugTraq Mailing List, Tue Feb 18 2003 - 13:12:12 CST Re: CSSA-2003-007.0 Advisory withdrawn. Source: VULNWATCH Type: UNKNOWN 20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d) Source: MITRE Type: CNA CVE-2002-0842 Source: NTBUGTRAQ Type: UNKNOWN 20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d) Source: BUGTRAQ Type: UNKNOWN 20030218 CSSA-2003-007.0 Advisory withdrawn. Re: Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav mo Source: BUGTRAQ Type: UNKNOWN 20030218 Re: CSSA-2003-007.0 Advisory withdrawn. Source: CCN Type: Oracle Security Alert #52 Two Security Vulnerabilities in Oracle9i Application Server Source: CONFIRM Type: Patch, Vendor Advisory http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf Source: CCN Type: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers Source: CERT Type: US Government Resource CA-2003-05 Source: CCN Type: CIAC Information Bulletin N-046 Multiple Vulnerabilities in Oracle Servers Source: CIAC Type: UNKNOWN N-046 Source: XF Type: Vendor Advisory oracle-appserver-davpublic-dos(11330) Source: CCN Type: US-CERT VU#849993 Some implementations of mod_dav contain a format string vulnerability in ap_log_rerror() function Source: CERT-VN Type: Exploit, Patch, Third Party Advisory, US Government Resource VU#849993 Source: CCN Type: NGSSoftware Insight Security Research Advisory #NISR16022003d Oracle9i Application Server Format String Vulnerability Source: MISC Type: UNKNOWN http://www.nextgenss.com/advisories/ora-appservfmtst.txt Source: BID Type: UNKNOWN 6846 Source: CCN Type: BID-6846 Oracle 9i Application Server DAV_PUBLIC Format String Vulnerability Source: CCN Type: TLSA-2003-15 Format string vulnerability Source: XF Type: UNKNOWN oracle-appserver-davpublic-dos(11330) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||