CVE-2011-3368

Loading...

General

Score:5.0/10.0
Severity:Medium
Category:Input Validation Error
Exploit:Available

Impact Metrics

Confidentiality:Partial
Integrity:None
Availability:None

Exploitability Metrics

Access Vector:Network
Access Complexity:Low
Authentication:None

Relative vulnerabilities

CVE-2007-6750, CVE-2011-0419, CVE-2011-1473, CVE-2011-1928, CVE-2011-3026, CVE-2011-3048, CVE-2011-3192, CVE-2011-3347, CVE-2011-3348, CVE-2011-3389, CVE-2011-3607, CVE-2011-3639, CVE-2011-4313, CVE-2011-4317, CVE-2011-4599, CVE-2011-4858, CVE-2012-0021, CVE-2012-0022, CVE-2012-0031, CVE-2012-0053, CVE-2012-0643, CVE-2012-0650, CVE-2012-0652, CVE-2012-0668, CVE-2012-0670, CVE-2012-0671, CVE-2012-0831, CVE-2012-0883, CVE-2012-1172, CVE-2012-1173, CVE-2012-1667, CVE-2012-1823, CVE-2012-2143, CVE-2012-2311, CVE-2012-2386, CVE-2012-2687, CVE-2012-2688, CVE-2012-3499, CVE-2012-3716, CVE-2012-3718, CVE-2012-3719, CVE-2012-3720, CVE-2012-3721, CVE-2012-3722, CVE-2012-3723, CVE-2012-4557, CVE-2012-4558, CVE-2013-1862, CVE-2013-1896

Published on 06/10/11 - Updated on 09/01/18

Description

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Category: Input Validation Error

CWE-20 (Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Security Notices

US National Vulnerability DatabaseCVE-2011-3368
Amazon Linux ALAS-2011-9
Agence Nationale de la Sécurité des Systèmes d'Information CERTA-2011-AVI-562, CERTA-2011-AVI-607, CERTA-2012-AVI-023, CERTA-2012-AVI-050, CERTA-2012-AVI-156, CERTA-2012-AVI-218, CERTA-2012-AVI-393, CERTA-2012-AVI-512, CERTA-2012-AVI-566, CERTA-2013-AVI-416, CERTA-2013-AVI-508, CERTFR-2014-AVI-357, CERTFR-2014-AVI-480, CERTFR-2015-AVI-030
CentOS CESA-2011:1392, CESA-2012:0128
Debian DSA-2405-1
Oracle Linux ELSA-2011-1391, ELSA-2011-1392
Redhat RHSA-2011:1391, RHSA-2011:1392, RHSA-2012:0128, RHSA-2012:0323
Renater 2011/VULN577, 2012/VULN053, 2012/VULN165, 2012/VULN369, 2012/VULN409, 2013/VULN310
SUSE SUSE-SU-2013:0389, SUSE-SU-2013:0469, SUSE-SU-2013:0830

Exploits

Exploit-DBEDB-17969
SecurityFocusBID-49957

Relative technologies

VendorProduct
apachehttp_server

Share this vulnerability with:

Twitter Facebook LinkedIn Mail