CVE-2009-1955

Table of Contents

Impact:
Moderate
Public Date:
2009-06-01
Bugzilla:
504555: CVE-2009-1955 apr-util billion laughs attack

The MITRE CVE dictionary describes this issue as:

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

Find out more about CVE-2009-1955 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 4 (apr-util) RHSA-2009:1107 2009-06-16
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2009:1160 2009-07-17
Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 2010-08-04
Red Hat Enterprise Linux 3 (httpd) RHSA-2009:1108 2009-06-16
Red Hat Enterprise Linux 5 (apr-util) RHSA-2009:1107 2009-06-16
Last Modified

CVE description copyright © 2017, The MITRE Corporation