CVE-2008-2364

httpd: mod_proxy_http DoS via excessive interim responses from the origin server

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

La función ap_proxy_http_process_response en mod_proxy_http.c en el modulo mod_proxy en el Servidor HTTP Apache 2.0.63 y 2.2.8 no limita el número de respuestas de desvío provisionales, lo que permite a servidores HTTP causar una denegación de servicio (memory consumption) a través de un gran número de respuestas provisionales.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2008-05-21 CVE Reserved
2008-06-13 CVE Published
2024-08-07 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (65)

URL	Tag	Source
http://secunia.com/advisories/31026	Not Applicable
http://secunia.com/advisories/31404	Not Applicable
http://secunia.com/advisories/31416	Not Applicable
http://secunia.com/advisories/31651	Not Applicable
http://secunia.com/advisories/31904	Not Applicable
http://secunia.com/advisories/32222	Not Applicable
http://secunia.com/advisories/32685	Not Applicable
http://secunia.com/advisories/32838	Not Applicable
http://secunia.com/advisories/33156	Not Applicable
http://secunia.com/advisories/33797	Not Applicable
http://secunia.com/advisories/34219	Not Applicable
http://secunia.com/advisories/34259	Not Applicable
http://secunia.com/advisories/34418	Not Applicable
http://support.apple.com/kb/HT3216	Broken Link
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328	Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg27008517	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	Third Party Advisory
http://www.securityfocus.com/archive/1/494858/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/498567/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/31681	Third Party Advisory
http://www.securitytracker.com/id?1020267	Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/42987	Third Party Advisory
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11713	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6084	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9577	Signature

URL	Date	SRC

URL	Date	SRC
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154	2023-02-13
http://www.securityfocus.com/bid/29653	2023-02-13

URL	Date	SRC
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432	2023-02-13
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html	2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html	2023-02-13
http://marc.info/?l=bugtraq&m=123376588623823&w=2	2023-02-13
http://marc.info/?l=bugtraq&m=125631037611762&w=2	2023-02-13
http://rhn.redhat.com/errata/RHSA-2008-0967.html	2023-02-13
http://secunia.com/advisories/30621	2023-02-13
http://security.gentoo.org/glsa/glsa-200807-06.xml	2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1	2023-02-13
http://www-1.ibm.com/support/docview.wss?uid=swg1PK67579	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2008:195	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2008:237	2023-02-13
http://www.redhat.com/support/errata/RHSA-2008-0966.html	2023-02-13
http://www.ubuntu.com/usn/USN-731-1	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00055.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00153.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2008-2364	2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=451615	2010-08-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.0.35 < 2.0.64 Search vendor "Apache" for product "Http Server" and version " >= 2.0.35 < 2.0.64"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.2.0 < 2.2.9 Search vendor "Apache" for product "Http Server" and version " >= 2.2.0 < 2.2.9"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				7.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "7.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				8 Search vendor "Fedoraproject" for product "Fedora" and version "8"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				9 Search vendor "Fedoraproject" for product "Fedora" and version "9"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				3.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				4.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				5.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				4.7 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "4.7"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				5.2 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "5.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				3.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				4.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				5.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				3.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				4.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				5.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "5.0"		-		Affected