Vulnerability CVE-2011-0419: Information

Description

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Severity: MEDIUM (4.3)

URL: https://nvd.nist.gov/vuln/detail/CVE-2011-0419

Published: May 16, 2011

Modified: April 2, 2024

Error type identifier: CWE-770

References to Advisories, Solutions, and Tools

Hyperlink	Resource
http://cxib.net/stuff/apr_fnmatch.txts	Third Party Advisory
20110512 Multiple Vendors libc/fnmatch(3) DoS (incl apache)	Exploit Third Party Advisory
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fnmatch.c#rev1.15	Broken Link
http://www.apache.org/dist/apr/CHANGES-APR-1.4	Broken Link
http://httpd.apache.org/security/vulnerabilities_22.html	Vendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1098188	Patch Vendor Advisory
44490	Not Applicable Vendor Advisory
RHSA-2011:0507	Third Party Advisory
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c#rev1.22	Third Party Advisory
http://www.apache.org/dist/apr/Announcement1.x.html	Patch Vendor Advisory
1025527	Broken Link Third Party Advisory VDB Entry
http://www.apache.org/dist/httpd/Announcement2.2.html	Patch Vendor Advisory
44564	Not Applicable Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=703390	Issue Tracking Patch Third Party Advisory
http://cxib.net/stuff/apache.fnmatch.phps	Patch Third Party Advisory
http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902	Patch Vendor Advisory
http://svn.apache.org/viewvc?view=revision&revision=1098799	Patch Vendor Advisory
44574	Not Applicable Vendor Advisory
DSA-2237	Third Party Advisory
MDVSA-2011:084	Broken Link
RHSA-2011:0897	Third Party Advisory
RHSA-2011:0896	Third Party Advisory
8246	Exploit Third Party Advisory
APPLE-SA-2011-10-12-3	Broken Link
http://support.apple.com/kb/HT5002	Third Party Advisory
HPSBUX02702	Issue Tracking Mailing List Third Party Advisory
HPSBUX02707	Issue Tracking Mailing List Third Party Advisory
SSRT100619	Issue Tracking Mailing List Third Party Advisory
SUSE-SU-2011:1229	Mailing List Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html	Third Party Advisory
SSRT100966	Issue Tracking Mailing List Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	Third Party Advisory
MDVSA-2013:150	Broken Link
oval:org.mitre.oval:def:14804	Third Party Advisory
oval:org.mitre.oval:def:14638	Third Party Advisory
48308	Not Applicable
[dev] 20110511 Re: Apache Portable Runtime 1.4.4 [...] Released	Mailing List Third Party Advisory
[dev] 20110510 Re: Apache Portable Runtime 1.4.4 [...] Released	Mailing List Third Party Advisory
[dev] 20110510 Re: fnmatch rewrite in apr, apr 1.4.3	Mailing List Third Party Advisory
[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/	Third Party Advisory VDB Entry
[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1888194 [7/13] - /httpd/site/trunk/content/security/json/	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073139 [7/13] - in /websites/staging/httpd/trunk/content: ./ security/json/	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073149 [8/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/	Third Party Advisory
[httpd-cvs] 20210330 svn commit: r1888222 - in /httpd/site/trunk/content/security/json: CVE-2010-2068.json CVE-2010-2791.json CVE-2011-0419.json CVE-2011-3368.json	Third Party Advisory
[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:apache:portable_runtime:*:*:*:*:*:*:*:*
  End excliding
  1.4.3
  
  Configuration 2
  cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  Start including
  2.0.0
  End including
  2.0.65
  cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  Start including
  2.2.0
  End including
  2.2.18
  
  Configuration 3
  cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*
  cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
  cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
  cpe:2.3:o:openbsd:openbsd:4.8:*:*:*:*:*:*:*
  cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*
  cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:-:*:*:*

Version: v24.4.2

Vulnerability CVE-2011-0419: Information

Description

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5