apache http-server CVE-2017-7668 vulnerability in Apache and Other Products
Published on June 20, 2017

product logo product logo product logo product logo product logo product logo
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Type

Buffer Over-read

The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in exposure of sensitive information or possibly a crash.


Products Associated with CVE-2017-7668

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2017-7668 are published in these products:

Apache HTTP Server
 
NetApp Clustered Data Ontap
 
NetApp Oncommand Unified Manager
 
NetApp Storagegrid
 
Red Hat Enterprise Linux Desktop
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux Server
 
Red Hat Enterprise Linux Server Aus
 
Red Hat Enterprise Linux Server Tus
 
Red Hat Enterprise Linux Workstation
 
Debian Linux
 
Oracle Secure Global Desktop
 
Apple macOS
 

Affected Versions

Apache Software Foundation Apache HTTP Server:

Exploit Probability

EPSS
66.38%
Percentile
98.52%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.