CVE-2011-0419
Summary
| CVE | CVE-2011-0419 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2011-05-16 17:55:02 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
NoneAvailability
PartialAV:N/AC:M/Au:N/C:N/I:N/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Application | Apache | Http Server | All | All | All | All |
| Application | Apache | Portable Runtime | All | All | All | All |
| Operating System | Apple | Mac Os X | 10.6.0 | All | All | All |
| Operating System | Debian | Debian Linux | 5.0 | All | All | All |
| Operating System | Debian | Debian Linux | 6.0 | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Freebsd | Freebsd | All | All | All | All |
| Operating System | Android | All | All | All | All | |
| Operating System | Netbsd | Netbsd | 5.1 | All | All | All |
| Operating System | Openbsd | Openbsd | 4.8 | All | All | All |
| Operating System | Oracle | Solaris | 10 | All | All | All |
| Operating System | Suse | Linux Enterprise Server | 10 | sp3 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Re: Apache Portable Runtime 1.4.4 [...] Released | af854a3a-2127-422b-91ae-364da2661108 | www.mail-archive.com | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update - July 2012 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| [Apache-SVN] Diff of /apr/apr/branches/1.4.x/strings/apr_fnmatch.c | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Patch, Vendor Advisory |
| Apache Portable Runtime library 1.5.2 Released | af854a3a-2127-422b-91ae-364da2661108 | www.apache.org | Patch, Vendor Advisory |
| Red Hat update for apr - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Vendor Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Apache APR "apr_fnmatch()" Pattern Processing Denial of Service Vulnerability - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Vendor Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| CVS log for src/lib/libc/gen/fnmatch.c | af854a3a-2127-422b-91ae-364da2661108 | www.openbsd.org | Broken Link |
| '[security bulletin] HPSBUX02707 SSRT100626 rev.1 - HP-UX Apache Web Server, Remote Denial of Service' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Issue Tracking, Mailing List, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory, VDB Entry |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| APPLE-SA-2011-10-12-3 OS X Lion v10.7.2 and Security Update 2011-006 | af854a3a-2127-422b-91ae-364da2661108 | lists.apple.com | Broken Link |
| Support / Security / Advisories / / MDVSA-2011:084 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Broken Link |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| '[security bulletin] HPSBMU02704 SSRT100619 rev.1 - HP OpenView Network Node Manager (OV NNM) Running' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Issue Tracking, Mailing List, Third Party Advisory |
| Bug 703390 – CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking, Patch, Third Party Advisory |
| CVS log for src/lib/libc/gen/fnmatch.c | af854a3a-2127-422b-91ae-364da2661108 | cvsweb.netbsd.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Third Party Advisory |
| Oracle Critical Patch Update - July 2013 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Third Party Advisory |
| Apache HTTP Server Project | af854a3a-2127-422b-91ae-364da2661108 | www.apache.org | Patch, Vendor Advisory |
| All about me - Maksymilian Arciemowicz - cxib.net | af854a3a-2127-422b-91ae-364da2661108 | cxib.net | Third Party Advisory |
| Re: Apache Portable Runtime 1.4.4 [...] Released | af854a3a-2127-422b-91ae-364da2661108 | www.mail-archive.com | Mailing List, Third Party Advisory |
| [security-announce] SUSE-SU-2011:1229-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable |
| About the security content of OS X Lion v10.7.2 and Security Update 2011-006 | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | Third Party Advisory |
| httpd 2.2 vulnerabilities - The Apache HTTP Server Project | af854a3a-2127-422b-91ae-364da2661108 | httpd.apache.org | Vendor Advisory |
| Support / Security / Advisories / / MDVSA-2013:150 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Broken Link |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Multiple Vendors libc/fnmatch(3) DoS (incl apache) ( Research Advisory ) - SecurityReason.com | af854a3a-2127-422b-91ae-364da2661108 | securityreason.com | Exploit, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | Third Party Advisory |
| '[security bulletin] HPSBOV02822 SSRT100966 rev.1 - HP Secure Web Server (SWS) for OpenVMS, Remote De' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Issue Tracking, Mailing List, Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Re: fnmatch rewrite in apr, apr 1.4.3 | af854a3a-2127-422b-91ae-364da2661108 | www.mail-archive.com | Mailing List, Third Party Advisory |
| '[security bulletin] HPSBUX02702 SSRT100606 rev.1 - HP-UX Apache Web Server, Remote Denial of Service' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Issue Tracking, Mailing List, Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Third Party Advisory |
| Multiple Vendors libc/fnmatch(3) DoS (incl apache poc) - SecurityReason.com | af854a3a-2127-422b-91ae-364da2661108 | securityreason.com | Exploit, Third Party Advisory |
| Debian -- Security Information -- DSA-2237-1 apr | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| All about me - Maksymilian Arciemowicz - cxib.net | af854a3a-2127-422b-91ae-364da2661108 | cxib.net | Patch, Third Party Advisory |
| Apache APR Library apr_fnmatch() Flaw Lets Remote Users Execute Arbitrary Code - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | securitytracker.com | Broken Link, Third Party Advisory, VDB Entry |
| [Apache-SVN] Revision 1098799 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Patch, Vendor Advisory |
| 404 Not Found | af854a3a-2127-422b-91ae-364da2661108 | www.apache.org | Broken Link |
| [Apache-SVN] Revision 1098188 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Patch, Vendor Advisory |
| Apache HTTP Server APR "apr_fnmatch()" Denial of Service Vulnerability - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Vendor Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | Third Party Advisory |
| Re: Apache Portable Runtime 1.4.4 [...] Released | MITRE | www.mail-archive.com | |
| Re: fnmatch rewrite in apr, apr 1.4.3 | MITRE | www.mail-archive.com | |
| Re: Apache Portable Runtime 1.4.4 [...] Released | MITRE | www.mail-archive.com | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.