CVE-2013-1896
UnknownEPSS 29.48%
Last modified
CVE-2013-1896 is a vulnerability of currently unknown severity. mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.. EPSS estimates a 29.48% chance of exploitation in the next 30 days.
Description
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.2.0, < 2.2.25 |
| Apache | Http Server | >= 2.4.1, < 2.4.6 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Jboss Enterprise Application Platform | 6.4.0 |
| Redhat | Enterprise Linux Desktop | 5.0 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Eus | 5.9 |
| Redhat | Enterprise Linux Eus | 6.4 |
| Redhat | Enterprise Linux Server | 5.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Aus | 5.9 |
| Redhat | Enterprise Linux Server Aus | 6.4 |
| Redhat | Enterprise Linux Workstation | 5.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 12.10 |
| Canonical | Ubuntu Linux | 13.04 |
| Opensuse | Opensuse | 11.4 |
| Opensuse | Opensuse | 12.2 |
| Opensuse | Opensuse | 12.3 |
References
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1156.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1207.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1208.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1209.htmlThird Party Advisory
- http://secunia.com/advisories/55032Not Applicable
- http://support.apple.com/kb/HT6150Third Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=hExploit, Patch, Vendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047Third Party Advisory
- http://www.apache.org/dist/httpd/Announcement2.2.htmlVendor Advisory
- http://www.securityfocus.com/bid/61129Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1903-1Third Party Advisory
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.htmlMailing List, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1156.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1207.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1208.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1209.htmlThird Party Advisory
- http://secunia.com/advisories/55032Not Applicable
- http://support.apple.com/kb/HT6150Third Party Advisory
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=hExploit, Patch, Vendor Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047Third Party Advisory
- http://www.apache.org/dist/httpd/Announcement2.2.htmlVendor Advisory
- http://www.securityfocus.com/bid/61129Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-1903-1Third Party Advisory
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-1896?
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
How severe is CVE-2013-1896?
Severity scoring for CVE-2013-1896 is pending analysis. The EPSS model estimates a 29.48% probability of exploitation in the next 30 days.
How do I fix CVE-2013-1896?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-1896?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST