CVE-2009-1955
high-risk
Published 2009-06-08
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Do I need to act?
~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (13)
References (120)
Mailing List
http://marc.info/?l=apr-dev&m=124396021826125&w=2
Mailing List
http://marc.info/?l=bugtraq&m=129190899612998&w=2
Broken Link
http://secunia.com/advisories/34724
Broken Link
http://secunia.com/advisories/35284
Broken Link
http://secunia.com/advisories/35360
Broken Link
http://secunia.com/advisories/35395
Broken Link
http://secunia.com/advisories/35444
Broken Link
http://secunia.com/advisories/35487
Broken Link
http://secunia.com/advisories/35565
Broken Link
http://secunia.com/advisories/35710
Broken Link
http://secunia.com/advisories/35797
Broken Link
http://secunia.com/advisories/35843
Broken Link
http://secunia.com/advisories/36473
Broken Link
http://secunia.com/advisories/37221
Third Party Advisory
http://security.gentoo.org/glsa/glsa-200907-03.xml
Broken Link
http://support.apple.com/kb/HT3937
and 100 more references
55
/ 100
high-risk
Severity
26/34 · High
Exploitability
12/34 · Low
Exposure
17/34 · Moderate