CVE-2014-0231

Summary

CVE	CVE-2014-0231
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-07-20 11:12:00 UTC
Updated	2023-11-07 02:18:00 UTC
Description	The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

Risk And Classification

Problem Types: CWE-399

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	All	All	All	All
Application	Apache	Http Server	-	All	All	All
Application	Apache	Http Server	2.2.0	All	All	All
Application	Apache	Http Server	2.2.10	All	All	All
Application	Apache	Http Server	2.2.11	All	All	All
Application	Apache	Http Server	2.2.12	All	All	All
Application	Apache	Http Server	2.2.13	All	All	All
Application	Apache	Http Server	2.2.14	All	All	All
Application	Apache	Http Server	2.2.15	All	All	All
Application	Apache	Http Server	2.2.16	All	All	All
Application	Apache	Http Server	2.2.17	All	All	All
Application	Apache	Http Server	2.2.18	All	All	All
Application	Apache	Http Server	2.2.19	All	All	All
Application	Apache	Http Server	2.2.2	All	All	All
Application	Apache	Http Server	2.2.20	All	All	All
Application	Apache	Http Server	2.2.21	All	All	All
Application	Apache	Http Server	2.2.22	All	All	All
Application	Apache	Http Server	2.2.23	All	All	All
Application	Apache	Http Server	2.2.24	All	All	All
Application	Apache	Http Server	2.2.25	All	All	All
Application	Apache	Http Server	2.2.26	All	All	All
Application	Apache	Http Server	2.2.27	All	All	All
Application	Apache	Http Server	2.2.3	All	All	All
Application	Apache	Http Server	2.2.4	All	All	All
Application	Apache	Http Server	2.2.6	All	All	All
Application	Apache	Http Server	2.2.8	All	All	All
Application	Apache	Http Server	2.2.9	All	All	All
Application	Apache	Http Server	2.4.1	All	All	All
Application	Apache	Http Server	2.4.2	All	All	All
Application	Apache	Http Server	2.4.3	All	All	All
Application	Apache	Http Server	2.4.4	All	All	All
Application	Apache	Http Server	2.4.6	All	All	All
Application	Apache	Http Server	2.4.7	All	All	All
Application	Apache	Http Server	2.4.8	All	All	All
Application	Apache	Http Server	-	All	All	All
Application	Apache	Http Server	2.2.0	All	All	All
Application	Apache	Http Server	2.2.10	All	All	All
Application	Apache	Http Server	2.2.11	All	All	All
Application	Apache	Http Server	2.2.12	All	All	All
Application	Apache	Http Server	2.2.13	All	All	All
Application	Apache	Http Server	2.2.14	All	All	All
Application	Apache	Http Server	2.2.15	All	All	All
Application	Apache	Http Server	2.2.16	All	All	All
Application	Apache	Http Server	2.2.17	All	All	All
Application	Apache	Http Server	2.2.18	All	All	All
Application	Apache	Http Server	2.2.19	All	All	All
Application	Apache	Http Server	2.2.2	All	All	All
Application	Apache	Http Server	2.2.20	All	All	All
Application	Apache	Http Server	2.2.21	All	All	All
Application	Apache	Http Server	2.2.22	All	All	All
Application	Apache	Http Server	2.2.23	All	All	All
Application	Apache	Http Server	2.2.24	All	All	All
Application	Apache	Http Server	2.2.25	All	All	All
Application	Apache	Http Server	2.2.26	All	All	All
Application	Apache	Http Server	2.2.27	All	All	All
Application	Apache	Http Server	2.2.3	All	All	All
Application	Apache	Http Server	2.2.4	All	All	All
Application	Apache	Http Server	2.2.6	All	All	All
Application	Apache	Http Server	2.2.8	All	All	All
Application	Apache	Http Server	2.2.9	All	All	All
Application	Apache	Http Server	2.4.1	All	All	All
Application	Apache	Http Server	2.4.2	All	All	All
Application	Apache	Http Server	2.4.3	All	All	All
Application	Apache	Http Server	2.4.4	All	All	All
Application	Apache	Http Server	2.4.6	All	All	All
Application	Apache	Http Server	2.4.7	All	All	All
Application	Apache	Http Server	2.4.8	All	All	All
Application	Apache	Http Server	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com
'[security bulletin] HPSBUX03337 SSRT102066 rev.1 - HP-UX Apache Web Server Suite running Apache Web ' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Mageia Advisory: MGASA-2014-0305 - Updated apache package fixes security vulnerabilities	CONFIRM	advisories.mageia.org
Pony Mail!		lists.apache.org
Apache HTTP Server CVE-2014-0231 Remote Denial of Service Vulnerability	BID	www.securityfocus.com
Pony Mail!		lists.apache.org
About Secunia Research \| Flexera	SECUNIA	secunia.com
Pony Mail!		lists.apache.org
svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES	CONFIRM	svn.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
'[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Bug 1120596 – CVE-2014-0231 httpd: mod_cgid denial of service	CONFIRM	bugzilla.redhat.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Support / Security / Advisories / / MDVSA-2014:142 \| Mandriva	MANDRIVA	www.mandriva.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[Apache-SVN] Log of /httpd/httpd/trunk/modules/generators/mod_cgid.c	CONFIRM	svn.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update - January 2015	CONFIRM	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004	APPLE	lists.apple.com
Apache: Multiple vulnerabilities (GLSA 201504-03) — Gentoo security	GENTOO	security.gentoo.org
'[security bulletin] HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote Den' - MARC	HP	marc.info
Pony Mail!	MLIST	lists.apache.org
Mageia Advisory: MGASA-2014-0304 - Updated apache package fixes security vulnerabilities	CONFIRM	advisories.mageia.org
Debian -- Security Information -- DSA-2989-1 apache2	DEBIAN	www.debian.org
Pony Mail!		lists.apache.org
RSA Digital Certificate Solution XSS / Denial Of Service ≈ Packet Storm	MISC	packetstormsecurity.com
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Document Display \| HPE Support Center	CONFIRM	h20564.www2.hpe.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
[Apache-SVN] Diff of /httpd/httpd/trunk/modules/generators/mod_cgid.c	CONFIRM	svn.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
'[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Mu' - MARC	HP	marc.info
Pony Mail!		lists.apache.org
[Apache-SVN] Diff of /httpd/httpd/trunk/modules/generators/mod_cgid.c	CONFIRM	svn.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
CVE-2014-0231 \| Puppet	CONFIRM	puppet.com
About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support	CONFIRM	support.apple.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project	CONFIRM	httpd.apache.org	Patch, Vendor Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

241029 Red Hat Update for JBoss Enterprise Application Platform 6.3.0 (RHSA-2014:1020)
241030 Red Hat Update for JBoss Enterprise Application Platform 6.3.0 (RHSA-2014:1019)