CVE-2017-15710 vulnerability in Apache and Other Products
Published on March 26, 2018
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
NVD
Products Associated with CVE-2017-15710
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2017-15710 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.0.23 to 2.0.65 is affected.
- Version 2.2.0 to 2.2.34 is affected.
- Version 2.4.0 to 2.4.29 is affected.
Exploit Probability
EPSS
8.00%
Percentile
92.00%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.