Vulnerability Name:

CVE-2008-2384 (CCN-48163)

Assigned:2008-05-21
Published:2009-01-22
Updated:2018-10-30
Summary:SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when configured to use a multibyte character set that allows a \ (backslash) as part of the character encoding, allows remote attackers to execute arbitrary SQL commands via unspecified inputs in a login request.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.6 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-89
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2008-2384

Source: CONFIRM
Type: Patch
http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch

Source: FEDORA
Type: UNKNOWN
FEDORA-2011-0100

Source: FEDORA
Type: UNKNOWN
FEDORA-2011-0114

Source: MLIST
Type: UNKNOWN
[oss-security] 20090121 mod-auth-mysql: SQL injection

Source: CCN
Type: RHSA-2009-0259
Moderate: mod_auth_mysql security update

Source: CCN
Type: RHSA-2010-1002
Moderate: mod_auth_mysql security update

Source: CCN
Type: SA33627
mod-auth-mysql SQL Injection Vulnerability

Source: SECUNIA
Type: Vendor Advisory
33627

Source: SECUNIA
Type: UNKNOWN
43302

Source: CCN
Type: Debian Web site
Debian

Source: CCN
Type: oss-security Mailing List, Wed, 21 Jan 2009 11:46:41 -0500
mod-auth-mysql: SQL injection

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0259

Source: REDHAT
Type: UNKNOWN
RHSA-2010:1002

Source: BID
Type: UNKNOWN
33392

Source: CCN
Type: BID-33392
'mod_auth_mysql' Package Multibyte Character Encoding SQL Injection Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2009-0226

Source: VUPEN
Type: UNKNOWN
ADV-2011-0367

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=480238

Source: XF
Type: UNKNOWN
modauthmysql-multibyte-sql-injection(48163)

Source: XF
Type: UNKNOWN
modauthmysql-multibyte-sql-injection(48163)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10172

Vulnerable Configuration:Configuration 1:
  • cpe:/a:joey_schulze:mod_auth_mysql:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:apache:http_server:-:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.28:beta:win32:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.32:beta:win32:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.34:beta:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.34:beta:win32:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.40:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.42:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.43:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.44:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.45:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.46:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.46:*:win32:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.47:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.48:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.49:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.50:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.51:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.52:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.53:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.54:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.55:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.56:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.57:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.58:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.58:*:win32:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.59:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.60:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.0.61:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.3:*:windows:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.3.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20082384
    V
    		CVE-2008-2384
    2017-09-27
    oval:org.mitre.oval:def:28850
    P
    		RHSA-2009:0259 -- mod_auth_mysql security update (Moderate)
    2015-08-17
    oval:org.mitre.oval:def:23560
    P
    		ELSA-2010:1002: mod_auth_mysql security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:21794
    P
    		ELSA-2009:0259: mod_auth_mysql security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:22105
    P
    		RHSA-2010:1002: mod_auth_mysql security update (Moderate)
    2014-02-24
    oval:org.mitre.oval:def:10172
    V
    		SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x allows remote attackers to execute arbitrary SQL commands via multibyte character encodings for unspecified input.
    2013-04-29
    oval:com.redhat.rhsa:def:20101002
    P
    		RHSA-2010:1002: mod_auth_mysql security update (Moderate)
    2010-12-21
    oval:com.redhat.rhsa:def:20090259
    P
    		RHSA-2009:0259: mod_auth_mysql security update (Moderate)
    2009-02-11
    BACK
    joey_schulze mod auth mysql *
    apache http server -
    apache http server 2.0
    apache http server 2.0.9
    apache http server 2.0.28
    apache http server 2.0.28 beta
    apache http server 2.0.28 beta
    apache http server 2.0.32
    apache http server 2.0.32 beta
    apache http server 2.0.32 beta
    apache http server 2.0.34 beta
    apache http server 2.0.34 beta
    apache http server 2.0.35
    apache http server 2.0.36
    apache http server 2.0.37
    apache http server 2.0.38
    apache http server 2.0.39
    apache http server 2.0.40
    apache http server 2.0.41
    apache http server 2.0.42
    apache http server 2.0.43
    apache http server 2.0.44
    apache http server 2.0.45
    apache http server 2.0.46
    apache http server 2.0.46
    apache http server 2.0.47
    apache http server 2.0.48
    apache http server 2.0.49
    apache http server 2.0.50
    apache http server 2.0.51
    apache http server 2.0.52
    apache http server 2.0.53
    apache http server 2.0.54
    apache http server 2.0.55
    apache http server 2.0.56
    apache http server 2.0.57
    apache http server 2.0.58
    apache http server 2.0.58
    apache http server 2.0.59
    apache http server 2.0.60
    apache http server 2.0.61
    apache http server 2.1
    apache http server 2.1.1
    apache http server 2.1.2
    apache http server 2.1.3
    apache http server 2.1.4
    apache http server 2.1.5
    apache http server 2.1.6
    apache http server 2.1.7
    apache http server 2.1.8
    apache http server 2.2
    apache http server 2.2.0
    apache http server 2.2.1
    apache http server 2.2.2
    apache http server 2.2.2
    apache http server 2.2.3
    apache http server 2.2.3
    apache http server 2.2.4
    apache http server 2.2.6
    apache http server 2.3.0