Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-1955

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.5, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts and availability (service disruption) for affected systems. Impacting 8 products from apache, from apple, from suse and 5 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Originally identified in 2009, this vulnerability predates many modern security frameworks and practices. The vulnerability landscape of that era was characterized by different threat models and less mature defense mechanisms compared to contemporary standards.

Published

2009-06-08T01:00:00.687

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-776

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	apr-util	< 1.3.7	Yes
Operating System	apple	mac_os_x	< 10.6.2	Yes
Operating System	suse	linux_enterprise_server	9	Yes
Operating System	debian	debian_linux	4.0	Yes
Operating System	canonical	ubuntu_linux	6.06	Yes
Operating System	canonical	ubuntu_linux	8.04	Yes
Operating System	canonical	ubuntu_linux	8.10	Yes
Operating System	canonical	ubuntu_linux	9.04	Yes
Operating System	fedoraproject	fedora	9	Yes
Operating System	fedoraproject	fedora	10	Yes
Operating System	fedoraproject	fedora	11	Yes
Application	oracle	http_server	-	Yes
Application	apache	http_server	< 2.2.12	Yes

References

http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html Mailing List, Third Party Advisory ([email protected])
http://marc.info/?l=apr-dev&m=124396021826125&w=2 Mailing List, Patch ([email protected])
http://marc.info/?l=bugtraq&m=129190899612998&w=2 Mailing List ([email protected])
http://secunia.com/advisories/34724 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35284 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35360 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35395 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35444 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35487 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35565 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35710 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35797 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/35843 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/36473 Broken Link, Third Party Advisory ([email protected])
http://secunia.com/advisories/37221 Broken Link, Third Party Advisory ([email protected])
http://security.gentoo.org/glsa/glsa-200907-03.xml Third Party Advisory ([email protected])
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210 Broken Link, Third Party Advisory ([email protected])
http://support.apple.com/kb/HT3937 Broken Link ([email protected])
http://svn.apache.org/viewvc?view=rev&revision=781403 Patch ([email protected])
http://wiki.rpath.com/Advisories:rPSA-2009-0123 Broken Link ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342 Broken Link ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241 Broken Link, Third Party Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478 Broken Link, Third Party Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg27014463 Broken Link, Third Party Advisory ([email protected])
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 Broken Link ([email protected])
http://www.debian.org/security/2009/dsa-1812 Mailing List, Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:131 Broken Link, Third Party Advisory ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 Broken Link, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2009/06/03/4 Mailing List ([email protected])
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html Patch, Third Party Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2009-1107.html Broken Link, Third Party Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2009-1108.html Broken Link, Third Party Advisory ([email protected])
http://www.securityfocus.com/archive/1/506053/100/0/threaded Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/35253 Broken Link, Third Party Advisory, VDB Entry ([email protected])
http://www.ubuntu.com/usn/usn-786-1 Third Party Advisory ([email protected])
http://www.ubuntu.com/usn/usn-787-1 Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/1907 Broken Link, Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/3184 Broken Link, Third Party Advisory ([email protected])
http://www.vupen.com/english/advisories/2010/1107 Broken Link, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10270 Broken Link, Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12473 Broken Link, Third Party Advisory ([email protected])
https://www.exploit-db.com/exploits/8842 Exploit, VDB Entry ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html Mailing List ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html Mailing List ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html Mailing List ([email protected])
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=apr-dev&m=124396021826125&w=2 Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129190899612998&w=2 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/34724 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35284 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35360 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35395 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35444 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35487 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35565 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35710 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35797 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35843 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/36473 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37221 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200907-03.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT3937 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc?view=rev&revision=781403 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://wiki.rpath.com/Advisories:rPSA-2009-0123 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg27014463 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2009/dsa-1812 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:131 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2009/06/03/4 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2009-1107.html Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2009-1108.html Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/506053/100/0/threaded Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/35253 Broken Link, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-786-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-787-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1907 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3184 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/1107 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E Mailing List, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10270 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12473 Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/8842 Exploit, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html Mailing List (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For apache's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.