CVE-2017-15710

Impact:
Low
Public Date:
2018-03-24
CWE:
CWE-787
Bugzilla:
1560599: CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values

The MITRE CVE dictionary describes this issue as:

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

Find out more about CVE-2017-15710 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux httpd24-httpd Affected
Red Hat Mobile Application Platform On-Premise 4 rhmap-httpd-docker Not affected
Red Hat JBoss Web Server 3 httpd Not affected
Red Hat JBoss EWS 2 httpd Will not fix
Red Hat JBoss Core Services 1 httpd Affected
Red Hat Enterprise Linux 7 httpd Affected
Red Hat Enterprise Linux 6 httpd Affected
Red Hat Enterprise Linux 5 httpd Will not fix

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.