CVE-2013-1896
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
4.3
Description
mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| 12.3 | Affected | โ |
| 12.2 | Affected | โ |
| 11.4 | Affected | โ |
Ubuntu Affected 4 releases
| Version | Status | Fixed in |
|---|---|---|
| 13.04 | Affected | โ |
| 12.10 | Affected | โ |
| 12.04 | Affected | โ |
| 10.04 | Affected | โ |
Red Hat Mixed 4 releases
| Version | Status | Fixed in |
|---|---|---|
| 6.4 | Affected | โ |
| 6.0 | Not affected | โ |
| 5.9 | Affected | โ |
| 5.0 | Not affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.4.6-1 |
| sid | Fixed | 2.4.6-1 |
| forky | Fixed | 2.4.6-1 |
| bullseye | Fixed | 2.4.6-1 |
| bookworm | Fixed | 2.4.6-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | http_server | {"startIncluding":"2.2.0","endExcluding":"2.2.25"} | 2.2.25 |
| redhat | jboss_enterprise_application_platform | 6.0.0 | |
| redhat | jboss_enterprise_application_platform | 6.4.0 | |
| apache | http_server | {"startIncluding":"2.4.1","endExcluding":"2.4.6"} | 2.4.6 |
References
- https://security-tracker.debian.org/tracker/CVE-2013-1896
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.html
- http://rhn.redhat.com/errata/RHSA-2013-1156.html
- http://rhn.redhat.com/errata/RHSA-2013-1207.html
- http://rhn.redhat.com/errata/RHSA-2013-1208.html
- http://rhn.redhat.com/errata/RHSA-2013-1209.html
- http://secunia.com/advisories/55032
- http://support.apple.com/kb/HT6150
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h
- http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?view=log
- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1896
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047
- http://www.apache.org/dist/httpd/Announcement2.2.html
- http://www.securityfocus.com/bid/61129
- http://www.ubuntu.com/usn/USN-1903-1
- https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c03922406-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.