CVE-2011-0419
The MITRE CVE dictionary describes this issue as:
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
Find out more about CVE-2011-0419 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 5 (apr) | RHSA-2011:0507 | 2011-05-11 |
| Red Hat JBoss Web Server 1.0 for RHEL 4 AS | RHSA-2011:0897 | 2011-06-22 |
| Red Hat Enterprise Linux 6 (apr) | RHSA-2011:0507 | 2011-05-11 |
| Red Hat Enterprise Linux 4 (apr) | RHSA-2011:0507 | 2011-05-11 |
| Red Hat JBoss Web Server 1.0 | RHSA-2011:0896 | 2011-06-22 |
| Red Hat JBoss Enterprise Web Server 1 for RHEL 6 Server | RHSA-2011:0897 | 2011-06-22 |
| Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server | RHSA-2011:0897 | 2011-06-22 |
Acknowledgements
Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue.Mitigation
mod_autoindex can be configured to ignore request query arguments provided by the client by adding IgnoreClient option to the IndexOptions directive:
http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexoptions.ignoreclient
CVE description copyright © 2017, The MITRE Corporation