CVE-2017-7668

Summary

CVE	CVE-2017-7668
State	PUBLISHED
Assigner	apache
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-06-20 01:29:00 UTC
Updated	2025-04-20 01:37:25 UTC
Description	The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-126 | CWE-125 | CWE-126 Denial of Service, Integrity Violation (CWE-126)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.5	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
2.0	[email protected]	Primary	5		`AV:N/AC:L/Au:N/C:N/I:N/A:P`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	2.2.32	All	All	All
Application	Apache	Http Server	2.4.24	All	All	All
Application	Apache	Http Server	2.4.25	All	All	All
Operating System	Apple	Mac Os X	All	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Oncommand Unified Manager	-	All	All	All
Application	Netapp	Storagegrid	-	All	All	All
Application	Oracle	Secure Global Desktop	5.3	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.3	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.4	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.5	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Eus	7.7	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.3	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.7	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.3	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.7	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Apache Software Foundation	Apache HTTP Server	affected 2.2.32	Not specified
CNA	Apache Software Foundation	Apache HTTP Server	affected 2.4.24, 2.4.25	Not specified

References

Reference	Source	Link	Tags
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Document Display \| HPE Support Center	af854a3a-2127-422b-91ae-364da2661108	support.hpe.com	Third Party Advisory
Apache: Multiple vulnerabilities (GLSA 201710-32) — Gentoo security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Third Party Advisory
Apache HTTP Server CVE-2017-7668 Denial of Service Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com	Third Party Advisory, VDB Entry
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	af854a3a-2127-422b-91ae-364da2661108	www.tenable.com	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Apache HTTPD Bugs Let Remote Users Deny Service and Bypass Authentication in Certain Cases - SecurityTracker	af854a3a-2127-422b-91ae-364da2661108	www.securitytracker.com	Third Party Advisory, VDB Entry
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Debian -- Security Information -- DSA-3896-1 apache2	af854a3a-2127-422b-91ae-364da2661108	www.debian.org	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Document Display \| HPE Support Center	af854a3a-2127-422b-91ae-364da2661108	support.hpe.com	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Oracle Critical Patch Update - October 2017	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - Apple Support	af854a3a-2127-422b-91ae-364da2661108	support.apple.com	Third Party Advisory
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
June 2017 Apache HTTP Server Vulnerabilities in NetApp Products \| NetApp Product Security	af854a3a-2127-422b-91ae-364da2661108	security.netapp.com	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Pony Mail!	af854a3a-2127-422b-91ae-364da2661108	lists.apache.org
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
Pony Mail!	MITRE	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

500011 Alpine Linux Security Update for apache2
503702 Alpine Linux Security Update for apache2