CVE-2011-1176

EUVD-2011-1186
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
mpm-itk_projectmpm-itk
2.2.11-01
mpm-itk_projectmpm-itk
2.2.11-02
debiandebian_linux
5.0
debiandebian_linux
6.0
debiandebian_linux
7.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bookworm
2.4.62-1~deb12u1
fixed
bookworm (security)
2.4.62-1~deb12u2
fixed
bullseye
2.4.62-1~deb11u1
fixed
bullseye (security)
2.4.62-1~deb11u2
fixed
lenny
not-affected
sid
2.4.62-3
fixed
trixie
2.4.62-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
dapper
not-affected
hardy
not-affected
karmic
ignored
lucid
Fixed 2.2.14-5ubuntu8.7
released
maverick
Fixed 2.2.16-1ubuntu3.4
released
natty
Fixed 2.2.17-1ubuntu1.4
released
oneiric
not-affected
apache2-mpm-itk
dapper
dne
hardy
not-affected
karmic
dne
lucid
dne
maverick
dne
natty
dne
oneiric
dne
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857
http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html
http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html
http://openwall.com/lists/oss-security/2011/03/20/1
http://openwall.com/lists/oss-security/2011/03/21/13
http://www.debian.org/security/2011/dsa-2202
http://www.mandriva.com/security/advisories?name=MDVSA-2011:057
http://www.securityfocus.com/bid/46953
http://www.vupen.com/english/advisories/2011/0748
http://www.vupen.com/english/advisories/2011/0749
http://www.vupen.com/english/advisories/2011/0824
https://exchange.xforce.ibmcloud.com/vulnerabilities/66248
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857
http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html
http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html
http://openwall.com/lists/oss-security/2011/03/20/1
http://openwall.com/lists/oss-security/2011/03/21/13
http://www.debian.org/security/2011/dsa-2202
http://www.mandriva.com/security/advisories?name=MDVSA-2011:057
http://www.securityfocus.com/bid/46953
http://www.vupen.com/english/advisories/2011/0748
http://www.vupen.com/english/advisories/2011/0749
http://www.vupen.com/english/advisories/2011/0824
https://exchange.xforce.ibmcloud.com/vulnerabilities/66248