Strix
26.1K

CVE-2009-2412

UnknownEPSS 13.78%

Last modified

CVE-2009-2412 is a vulnerability of currently unknown severity. Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.. EPSS estimates a 13.78% chance of exploitation in the next 30 days.

Description

Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.

Metrics

EPSS Probability
13.78%

96.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheApr-Util0.9.1
ApacheApr-Util0.9.2
ApacheApr-Util0.9.2-dev
ApacheApr-Util0.9.3
ApacheApr-Util0.9.3-dev
ApacheApr-Util0.9.4
ApacheApr-Util0.9.5
ApacheApr-Util0.9.6
ApacheApr-Util0.9.7-dev
ApacheApr-Util0.9.8
ApacheApr-Util0.9.9
ApacheApr-Util0.9.16
ApacheApr-Util1.3.0
ApacheApr-Util1.3.1
ApacheApr-Util1.3.2
ApacheApr-Util1.3.3
ApacheApr-Util1.3.4
ApacheApr-Util1.3.4-dev
ApacheApr-Util1.3.5
ApacheApr-Util1.3.6
ApacheApr-Util1.3.6-dev
ApacheApr-Util1.3.7
ApacheApr-Util1.3.8
ApachePortable Runtime0.9.1
ApachePortable Runtime0.9.2
ApachePortable Runtime0.9.2-dev
ApachePortable Runtime0.9.3
ApachePortable Runtime0.9.3-dev
ApachePortable Runtime0.9.4
ApachePortable Runtime0.9.5
ApachePortable Runtime0.9.6
ApachePortable Runtime0.9.7
ApachePortable Runtime0.9.7-dev
ApachePortable Runtime0.9.8
ApachePortable Runtime0.9.9
ApachePortable Runtime0.9.16-dev
ApachePortable Runtime1.3.0
ApachePortable Runtime1.3.1
ApachePortable Runtime1.3.2
ApachePortable Runtime1.3.3
ApachePortable Runtime1.3.4
ApachePortable Runtime1.3.4-dev
ApachePortable Runtime1.3.5
ApachePortable Runtime1.3.6
ApachePortable Runtime1.3.6-dev
ApachePortable Runtime1.3.7
ApachePortable Runtime1.3.8

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2009-2412?
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.
How severe is CVE-2009-2412?
Severity scoring for CVE-2009-2412 is pending analysis. The EPSS model estimates a 13.78% probability of exploitation in the next 30 days.
How do I fix CVE-2009-2412?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-2412?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST