CVE-2009-1195

Published May 28, 2009

Last updated 2 months ago

CVSS info 4.9

Overview

Description: The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.
Source: secalert@redhat.com
NVD status: Modified
Products: http_server

Risk scores

CVSS 2.0

Type: Primary
Base score: 4.9
Impact score: 6.9
Exploitability score: 3.9
Vector string: AV:L/AC:L/Au:N/C:N/I:N/A:C

Weaknesses

nvd@nist.gov: CWE-16

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "67AD11FB-529C-404E-A13B-284F145322B8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "733D62FE-180A-4AE8-9DBF-DA1DC18C1932",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "CCBBB7FE-35FC-4515-8393-5145339FCE4D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*",
            "matchCriteriaId": "F519633F-AB68-495A-B85E-FD41F9F752CA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*",
            "matchCriteriaId": "A894BED6-C97D-4DA4-A13D-9CB2B3306BC5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.7:*:*:*:*:*:*:*",
            "matchCriteriaId": "5D5B52AA-B059-47D1-87CD-D2F002387FBF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.8:*:*:*:*:*:*:*",
            "matchCriteriaId": "9AF3A0F5-4E5C-4278-9927-1F94F25CCAFC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.9:*:*:*:*:*:*:*",
            "matchCriteriaId": "AB63EBE5-CF14-491E-ABA5-67116DFE3E5B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:http_server:2.2.10:*:*:*:*:*:*:*",
            "matchCriteriaId": "8C2A33DE-F55F-4FD8-BB00-9C1E006CA65C",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

Related CVEs

References