CVE-2011-3607
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
4
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
Desbordamiento de entero en la función en ap_pregsub / util.c en el servidor HTTP Apache v2.0.x hasta la v2.0.64 y la v2.2.x hasta la v2.2.21, cuando el módulo mod_setenvif está activado, que permite a usuarios locales conseguir privilegios a través de un archivo .htaccess que incluye una directiva SetEnvIf modificada, junto con un encabezado de solicitud HTTP manipulado, dando lugar a un desbordamiento de búfer basado en memoria dinámica.
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a.htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of RewriteRule and ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an \@ character and a : character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. The updated packages have been patched to correct these issues.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2011-09-21 CVE Reserved
- 2011-11-02 CVE Published
- 2011-11-02 First Exploit
- 2024-08-06 CVE Updated
- 2025-07-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-189: Numeric Errors
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (51)
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0 Search vendor "Apache" for product "Http Server" and version "2.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.9 Search vendor "Apache" for product "Http Server" and version "2.0.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.28 Search vendor "Apache" for product "Http Server" and version "2.0.28" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.28 Search vendor "Apache" for product "Http Server" and version "2.0.28" | beta |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.32 Search vendor "Apache" for product "Http Server" and version "2.0.32" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.32 Search vendor "Apache" for product "Http Server" and version "2.0.32" | beta |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.34 Search vendor "Apache" for product "Http Server" and version "2.0.34" | beta |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.35 Search vendor "Apache" for product "Http Server" and version "2.0.35" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.36 Search vendor "Apache" for product "Http Server" and version "2.0.36" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.37 Search vendor "Apache" for product "Http Server" and version "2.0.37" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.38 Search vendor "Apache" for product "Http Server" and version "2.0.38" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.39 Search vendor "Apache" for product "Http Server" and version "2.0.39" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.40 Search vendor "Apache" for product "Http Server" and version "2.0.40" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.41 Search vendor "Apache" for product "Http Server" and version "2.0.41" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.42 Search vendor "Apache" for product "Http Server" and version "2.0.42" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.43 Search vendor "Apache" for product "Http Server" and version "2.0.43" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.44 Search vendor "Apache" for product "Http Server" and version "2.0.44" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.45 Search vendor "Apache" for product "Http Server" and version "2.0.45" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.46 Search vendor "Apache" for product "Http Server" and version "2.0.46" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.47 Search vendor "Apache" for product "Http Server" and version "2.0.47" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.48 Search vendor "Apache" for product "Http Server" and version "2.0.48" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.49 Search vendor "Apache" for product "Http Server" and version "2.0.49" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.50 Search vendor "Apache" for product "Http Server" and version "2.0.50" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.51 Search vendor "Apache" for product "Http Server" and version "2.0.51" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.52 Search vendor "Apache" for product "Http Server" and version "2.0.52" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.53 Search vendor "Apache" for product "Http Server" and version "2.0.53" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.54 Search vendor "Apache" for product "Http Server" and version "2.0.54" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.55 Search vendor "Apache" for product "Http Server" and version "2.0.55" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.56 Search vendor "Apache" for product "Http Server" and version "2.0.56" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.57 Search vendor "Apache" for product "Http Server" and version "2.0.57" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.58 Search vendor "Apache" for product "Http Server" and version "2.0.58" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.59 Search vendor "Apache" for product "Http Server" and version "2.0.59" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.60 Search vendor "Apache" for product "Http Server" and version "2.0.60" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.61 Search vendor "Apache" for product "Http Server" and version "2.0.61" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.63 Search vendor "Apache" for product "Http Server" and version "2.0.63" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.0.64 Search vendor "Apache" for product "Http Server" and version "2.0.64" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.0 Search vendor "Apache" for product "Http Server" and version "2.2.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.1 Search vendor "Apache" for product "Http Server" and version "2.2.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.2 Search vendor "Apache" for product "Http Server" and version "2.2.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.3 Search vendor "Apache" for product "Http Server" and version "2.2.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.4 Search vendor "Apache" for product "Http Server" and version "2.2.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.6 Search vendor "Apache" for product "Http Server" and version "2.2.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.8 Search vendor "Apache" for product "Http Server" and version "2.2.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.9 Search vendor "Apache" for product "Http Server" and version "2.2.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.10 Search vendor "Apache" for product "Http Server" and version "2.2.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.11 Search vendor "Apache" for product "Http Server" and version "2.2.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.12 Search vendor "Apache" for product "Http Server" and version "2.2.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.13 Search vendor "Apache" for product "Http Server" and version "2.2.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.14 Search vendor "Apache" for product "Http Server" and version "2.2.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.15 Search vendor "Apache" for product "Http Server" and version "2.2.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.16 Search vendor "Apache" for product "Http Server" and version "2.2.16" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.18 Search vendor "Apache" for product "Http Server" and version "2.2.18" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.19 Search vendor "Apache" for product "Http Server" and version "2.2.19" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.20 Search vendor "Apache" for product "Http Server" and version "2.2.20" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Http Server Search vendor "Apache" for product "Http Server" | 2.2.21 Search vendor "Apache" for product "Http Server" and version "2.2.21" | - |
Affected
| ||||||