CVE-2010-2068

(mod_proxy): Sensitive response disclosure due improper handling of timeouts

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request.

mod_proxy_http.c en mod_proxy_http en el servidor Apache HTTP v2.2.9 hasta v2.2.15, v2.3.4-alpha, y 2.3.5-alpha en Windows, NetWare, y OS/2, en algunas configuraciones que implique grupos de trabajo proxy, no detecta de forma adecuada los "timeouts" lo que permite a atacantes remotos obtener una respuesta potencialmente sensibles, destinada a un cliente diferente en circunstancias oportunistas a través de una petición HTTP normal.

Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely and locally resulting in cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, and other vulnerabilities. Revision 1 of this advisory.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2010-05-25 CVE Reserved
2010-06-16 CVE Published
2024-08-07 CVE Updated
2025-07-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (43)

URL	Tag	Source
http://mail-archives.apache.org/mod_mbox/httpd-announce/201006.mbox/%3C4C12933D.4060400%40apache.org%3E	Mailing List
http://marc.info/?l=apache-announce&m=128009718610929&w=2	Mailing List
http://secunia.com/advisories/40824	Third Party Advisory
http://secunia.com/advisories/41480	Third Party Advisory
http://secunia.com/advisories/41490	Third Party Advisory
http://secunia.com/advisories/41722	Third Party Advisory
http://securitytracker.com/id?1024096	Vdb Entry
http://support.apple.com/kb/HT4581	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html	X_refsource_confirm
http://www.securityfocus.com/archive/1/511809/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/40827	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/59413	Vdb Entry
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r064df0985779b7ee044d3120d71ba59750427cf53f57ba3384e3773f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r688df6f16f141e966a0a47f817e559312b3da27886f59116a94b273d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re2e23465bbdb17ffe109d21b4f192e6b58221cd7aa8797d530b4cd75%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11491	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6931	Signature

URL	Date	SRC

URL	Date	SRC
http://httpd.apache.org/security/vulnerabilities_22.html	2023-02-13
http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch	2023-02-13
http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch	2023-02-13
http://www.vupen.com/english/advisories/2010/1436	2023-02-13

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html	2023-02-13
http://secunia.com/advisories/40206	2023-02-13
http://www-01.ibm.com/support/docview.wss?uid=nas352ca0ac9460f9b8886257777005dd0e4	2023-02-13
http://www.ibm.com/support/docview.wss?uid=swg1PM16366	2023-02-13
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150	2023-02-13
http://www.redhat.com/support/errata/RHSA-2011-0896.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2010-2068	2011-06-22
https://bugzilla.redhat.com/show_bug.cgi?id=632994	2011-06-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.9 Search vendor "Apache" for product "Http Server" and version "2.2.9"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.9 Search vendor "Apache" for product "Http Server" and version "2.2.9"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.9 Search vendor "Apache" for product "Http Server" and version "2.2.9"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.10 Search vendor "Apache" for product "Http Server" and version "2.2.10"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.10 Search vendor "Apache" for product "Http Server" and version "2.2.10"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.10 Search vendor "Apache" for product "Http Server" and version "2.2.10"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.11 Search vendor "Apache" for product "Http Server" and version "2.2.11"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.11 Search vendor "Apache" for product "Http Server" and version "2.2.11"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.11 Search vendor "Apache" for product "Http Server" and version "2.2.11"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.12 Search vendor "Apache" for product "Http Server" and version "2.2.12"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.12 Search vendor "Apache" for product "Http Server" and version "2.2.12"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.12 Search vendor "Apache" for product "Http Server" and version "2.2.12"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.13 Search vendor "Apache" for product "Http Server" and version "2.2.13"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.13 Search vendor "Apache" for product "Http Server" and version "2.2.13"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.13 Search vendor "Apache" for product "Http Server" and version "2.2.13"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.14 Search vendor "Apache" for product "Http Server" and version "2.2.14"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.14 Search vendor "Apache" for product "Http Server" and version "2.2.14"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.14 Search vendor "Apache" for product "Http Server" and version "2.2.14"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.15 Search vendor "Apache" for product "Http Server" and version "2.2.15"	-	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.15 Search vendor "Apache" for product "Http Server" and version "2.2.15"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.2.15 Search vendor "Apache" for product "Http Server" and version "2.2.15"	-	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.4 Search vendor "Apache" for product "Http Server" and version "2.3.4"	alpha	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.4 Search vendor "Apache" for product "Http Server" and version "2.3.4"	alpha	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.4 Search vendor "Apache" for product "Http Server" and version "2.3.4"	alpha	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.5 Search vendor "Apache" for product "Http Server" and version "2.3.5"	alpha	Affected	in	Ibm Search vendor "Ibm"	Os2 Search vendor "Ibm" for product "Os2"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.5 Search vendor "Apache" for product "Http Server" and version "2.3.5"	alpha	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	2.3.5 Search vendor "Apache" for product "Http Server" and version "2.3.5"	alpha	Affected	in	Novell Search vendor "Novell"	Netware Search vendor "Novell" for product "Netware"	*	-	Safe