Vulnerability CVE-2006-0042 - CERT Civis.Net

Vulnerability Name:

CVE-2006-0042 (CCN-24917)

Assigned:

2005-12-20

Published:

2006-02-17

Updated:

2018-11-29

Summary:

Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers to cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2006-0042

Source: CCN
Type: SA18846
Libapreq2 Unspecified Vulnerability

Source: SECUNIA
Type: Patch, Third Party Advisory
18846

Source: SECUNIA
Type: Patch, Third Party Advisory
19139

Source: SECUNIA
Type: Third Party Advisory
19658

Source: SREASON
Type: Third Party Advisory
737

Source: CCN
Type: Apache Software Foundation Web site
View of /httpd/apreq/tags/v2_07/CHANGES

Source: CONFIRM
Type: Vendor Advisory
http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?rev=376998&view=markup

Source: DEBIAN
Type: Patch, Third Party Advisory
DSA-1000

Source: DEBIAN
Type: DSA-1000
libapreq2-perl -- design error

Source: CCN
Type: GLSA-200604-08
libapreq2: Denial of Service vulnerability

Source: GENTOO
Type: Third Party Advisory
GLSA-200604-08

Source: CCN
Type: OSVDB ID: 23124
Generic Apache Request Library (libapreq) apreq_parse_* Functions Remote DoS

Source: BID
Type: Patch, Third Party Advisory, VDB Entry
16710

Source: CCN
Type: BID-16710
Apache Libapreq2 Quadratic Behavior Denial of Service Vulnerability

Source: VUPEN
Type: Third Party Advisory
ADV-2006-0645

Source: XF
Type: Third Party Advisory, VDB Entry
libapreq2-parsing-dos(24917)

Source: XF
Type: UNKNOWN
libapreq2-parsing-dos(24917)

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:libapreq2:*:*:*:*:*:*:*:* (Version < 2.07)

Configuration 2:

cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:libapreq2:libapreq2:2.06_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:2.05_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:2.04_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:2.03_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:2.02_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:2.01_dev:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:1.33:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:1.3:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:1.2:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:1.1:*:*:*:*:*:*:*

OR cpe:/a:libapreq2:libapreq2:1.0:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.debian:def:1000	V	design error	2013-01-21