CVE-2018-1301
moderate-risk
Published 2018-03-26
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
Do I need to act?
~
7.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (18)
References (56)
Third Party Advisory
http://www.securityfocus.com/bid/103515
Third Party Advisory
http://www.securitytracker.com/id/1040573
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3558
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
and 36 more references
47
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
10/34 · Low
Exposure
19/34 · Moderate