CVE-2018-1302
moderate-risk
Published 2018-03-26
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
Do I need to act?
!
12.1% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (6)
References (46)
Third Party Advisory
http://www.securityfocus.com/bid/103528
Third Party Advisory
http://www.securitytracker.com/id/1040567
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180601-0004/
and 26 more references
43
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
12/34 · Low
Exposure
13/34 · Low