<p>Upgrade <code>Alpine:3.18</code> <code>apache2</code> to version 2.4.27-r1 or higher.</p>

Use After Free Affecting apache2 package, versions <2.4.27-r1

Threat Intelligence

Mature

97.39% (100^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-ALPINE318-APACHE2-5511405
published 18 Sep 2017
disclosed 18 Sep 2017

Report a new vulnerability Found a mistake?

Introduced: 18 Sep 2017

CVE-2017-9798 Open this link in a new tab CWE-416 Open this link in a new tab

How to fix?

Upgrade Alpine:3.18 apache2 to version 2.4.27-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream apache2 package and not the apache2 package as distributed by Alpine. See How to fix? for Alpine:3.18 relevant fixed versions and status.

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None