CVE-2012-0021

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
Severity
UNKNOWN
AV:N/AC:H/Au:N/C:N/I:N/A:P
Atk. Vector
NETWORK
Atk. Complexity
HIGH
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
apachehttp_server
2.2.17
apachehttp_server
2.2.18
apachehttp_server
2.2.19
apachehttp_server
2.2.20
apachehttp_server
2.2.21
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bullseye
2.4.62-1~deb11u1
fixed
squeeze
not-affected
lenny
not-affected
bullseye (security)
2.4.62-1~deb11u2
fixed
bookworm
2.4.62-1~deb12u1
fixed
bookworm (security)
2.4.62-1~deb12u2
fixed
sid
2.4.62-3
fixed
trixie
2.4.62-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
oneiric
Fixed 2.2.20-1ubuntu1.2
released
natty
Fixed 2.2.17-1ubuntu1.5
released
maverick
not-affected
lucid
not-affected
hardy
not-affected
References