Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
2011-11-08T11:55:05.693
2025-04-11T00:51:21.963
Deferred
CVSSv2: 4.4 (MEDIUM)
AV:L/AC:M/Au:N/C:P/I:P/A:P
3.4
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | http_server | 2.0 | Yes |
| Application | apache | http_server | 2.0.9 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.34 | Yes |
| Application | apache | http_server | 2.0.35 | Yes |
| Application | apache | http_server | 2.0.36 | Yes |
| Application | apache | http_server | 2.0.37 | Yes |
| Application | apache | http_server | 2.0.38 | Yes |
| Application | apache | http_server | 2.0.39 | Yes |
| Application | apache | http_server | 2.0.40 | Yes |
| Application | apache | http_server | 2.0.41 | Yes |
| Application | apache | http_server | 2.0.42 | Yes |
| Application | apache | http_server | 2.0.43 | Yes |
| Application | apache | http_server | 2.0.44 | Yes |
| Application | apache | http_server | 2.0.45 | Yes |
| Application | apache | http_server | 2.0.46 | Yes |
| Application | apache | http_server | 2.0.47 | Yes |
| Application | apache | http_server | 2.0.48 | Yes |
| Application | apache | http_server | 2.0.49 | Yes |
| Application | apache | http_server | 2.0.50 | Yes |
| Application | apache | http_server | 2.0.51 | Yes |
| Application | apache | http_server | 2.0.52 | Yes |
| Application | apache | http_server | 2.0.53 | Yes |
| Application | apache | http_server | 2.0.54 | Yes |
| Application | apache | http_server | 2.0.55 | Yes |
| Application | apache | http_server | 2.0.56 | Yes |
| Application | apache | http_server | 2.0.57 | Yes |
| Application | apache | http_server | 2.0.58 | Yes |
| Application | apache | http_server | 2.0.59 | Yes |
| Application | apache | http_server | 2.0.60 | Yes |
| Application | apache | http_server | 2.0.61 | Yes |
| Application | apache | http_server | 2.0.63 | Yes |
| Application | apache | http_server | 2.0.64 | Yes |
| Application | apache | http_server | 2.2.0 | Yes |
| Application | apache | http_server | 2.2.1 | Yes |
| Application | apache | http_server | 2.2.2 | Yes |
| Application | apache | http_server | 2.2.3 | Yes |
| Application | apache | http_server | 2.2.4 | Yes |
| Application | apache | http_server | 2.2.6 | Yes |
| Application | apache | http_server | 2.2.8 | Yes |
| Application | apache | http_server | 2.2.9 | Yes |
| Application | apache | http_server | 2.2.10 | Yes |
| Application | apache | http_server | 2.2.11 | Yes |
| Application | apache | http_server | 2.2.12 | Yes |
| Application | apache | http_server | 2.2.13 | Yes |
| Application | apache | http_server | 2.2.14 | Yes |
| Application | apache | http_server | 2.2.15 | Yes |
| Application | apache | http_server | 2.2.16 | Yes |
| Application | apache | http_server | 2.2.18 | Yes |
| Application | apache | http_server | 2.2.19 | Yes |
| Application | apache | http_server | 2.2.20 | Yes |
| Application | apache | http_server | 2.2.21 | Yes |