The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
13 Feb 2023, 02:20
Type | Values Removed | Values Added |
---|---|---|
Summary | The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests. | |
References |
|
02 Feb 2023, 17:16
Type | Values Removed | Values Added |
---|---|---|
Summary | CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop) | |
References |
|
|
19 Sep 2022, 19:56
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-400 | |
First Time |
Redhat enterprise Linux Server
Fedoraproject Fedoraproject fedora Redhat enterprise Linux Desktop Debian Redhat Debian debian Linux Redhat enterprise Linux Workstation Redhat enterprise Linux Server Aus Canonical Canonical ubuntu Linux Redhat enterprise Linux Eus |
|
References |
|
|
References | (SECUNIA) http://secunia.com/advisories/35865 - Not Applicable | |
References | (MLIST) https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (AIXAPAR) http://www-01.ibm.com/support/docview.wss?uid=swg1PK99480 - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/37152 - Not Applicable, Vendor Advisory | |
References | (UBUNTU) http://www.ubuntu.com/usn/USN-802-1 - Third Party Advisory | |
References | (FEDORA) https://www.redhat.com/archives/fedora-package-announce/2009-August/msg01363.html - Third Party Advisory | |
References | (REDHAT) http://www.redhat.com/support/errata/RHSA-2009-1156.html - Third Party Advisory | |
References | (VUPEN) http://www.vupen.com/english/advisories/2009/3184 - Permissions Required, Vendor Advisory | |
References | (DEBIAN) http://www.debian.org/security/2009/dsa-1834 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (OVAL) https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9403 - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/35691 - Not Applicable, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (GENTOO) http://security.gentoo.org/glsa/glsa-200907-04.xml - Third Party Advisory | |
References | (CONFIRM) http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587&r2=790586&pathrev=790587 - Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/35721 - Not Applicable | |
References | (SECTRACK) http://www.securitytracker.com/id?1022509 - Broken Link, Third Party Advisory, VDB Entry | |
References | (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2009:149 - Broken Link | |
References | (MLIST) https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (CONFIRM) http://support.apple.com/kb/HT3937 - Broken Link | |
References | (CONFIRM) http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html - Third Party Advisory | |
References | (APPLE) http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html - Broken Link, Mailing List | |
References | (SECUNIA) http://secunia.com/advisories/37221 - Not Applicable, Vendor Advisory | |
References | (OVAL) https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8616 - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (BUGTRAQ) http://www.securityfocus.com/archive/1/507852/100/0/threaded - Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (CONFIRM) http://wiki.rpath.com/Advisories:rPSA-2009-0142 - Broken Link | |
References | (REDHAT) https://rhn.redhat.com/errata/RHSA-2009-1148.html - Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/35793 - Not Applicable | |
References | (MANDRIVA) http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 - Broken Link | |
References | (MLIST) https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (AIXAPAR) http://www-01.ibm.com/support/docview.wss?uid=swg1PK91259 - Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/35565 - Third Party Advisory, VDB Entry | |
References | (BUGTRAQ) http://www.securityfocus.com/archive/1/507857/100/0/threaded - Third Party Advisory, VDB Entry | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00006.html - Mailing List, Third Party Advisory | |
References | (OVAL) https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12330 - Third Party Advisory | |
References | (HP) http://marc.info/?l=bugtraq&m=129190899612998&w=2 - Issue Tracking, Mailing List, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E - Mailing List, Vendor Advisory | |
References | (OSVDB) http://osvdb.org/55553 - Broken Link | |
CPE | cpe:2.3:a:apache:http_server:1.3.19:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.55:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.20:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.7:*:dev:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.31:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.15:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.26:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.16:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.33:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.34:beta:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.15:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.32:beta:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.56:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.5:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.13:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.29:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.24:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.26:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.24:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.2:*:windows:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.22:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.6:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.12:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.35:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.28:beta:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.4.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.39:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.20:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:0.8.11:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.38:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.23:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.16:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.52:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.8:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:*:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.53:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.18:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.30:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.13:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.7:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.22:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.60:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.57:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.68:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.9:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.46:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.32:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.32:beta:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.18:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.61:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.11:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.34:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.51:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.14:*:mac_os:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.2.5:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.17:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.19:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.14:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.36:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.2.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.58:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.23:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.17:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.2.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.10:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.58:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.99:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.14:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.28:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:0.8.14:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.12:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.2.4:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.28:beta:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.25:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.54:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.34:beta:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.65:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.3:*:windows:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.7:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.11:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.3.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.37:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.6:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.25:*:win32:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:2.1.9:*:*:*:*:*:*:* cpe:2.3:a:apache:http_server:1.3.4:*:*:*:*:*:*:* |
cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:5.3:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:* cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:5.3:*:*:*:*:*:*:* |
06 Jun 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Jun 2021, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Mar 2021, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2009-07-05 16:30
Updated : 2023-12-10 10:51
NVD link : CVE-2009-1890
Mitre link : CVE-2009-1890
CVE.ORG link : CVE-2009-1890
JSON object : View
Products Affected
redhat
- enterprise_linux_desktop
- enterprise_linux_server_aus
- enterprise_linux_server
- enterprise_linux_workstation
- enterprise_linux_eus
debian
- debian_linux
canonical
- ubuntu_linux
apache
- http_server
fedoraproject
- fedora
CWE
CWE-400
Uncontrolled Resource Consumption