The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
2011-11-08T11:55:05.850
2025-04-11T00:51:21.963
Deferred
CVSSv2: 1.2 (LOW)
AV:L/AC:H/Au:N/C:N/I:N/A:P
1.9
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | http_server | 2.0 | Yes |
| Application | apache | http_server | 2.0.9 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.34 | Yes |
| Application | apache | http_server | 2.0.35 | Yes |
| Application | apache | http_server | 2.0.36 | Yes |
| Application | apache | http_server | 2.0.37 | Yes |
| Application | apache | http_server | 2.0.38 | Yes |
| Application | apache | http_server | 2.0.39 | Yes |
| Application | apache | http_server | 2.0.40 | Yes |
| Application | apache | http_server | 2.0.41 | Yes |
| Application | apache | http_server | 2.0.42 | Yes |
| Application | apache | http_server | 2.0.43 | Yes |
| Application | apache | http_server | 2.0.44 | Yes |
| Application | apache | http_server | 2.0.45 | Yes |
| Application | apache | http_server | 2.0.46 | Yes |
| Application | apache | http_server | 2.0.47 | Yes |
| Application | apache | http_server | 2.0.48 | Yes |
| Application | apache | http_server | 2.0.49 | Yes |
| Application | apache | http_server | 2.0.50 | Yes |
| Application | apache | http_server | 2.0.51 | Yes |
| Application | apache | http_server | 2.0.52 | Yes |
| Application | apache | http_server | 2.0.53 | Yes |
| Application | apache | http_server | 2.0.54 | Yes |
| Application | apache | http_server | 2.0.55 | Yes |
| Application | apache | http_server | 2.0.56 | Yes |
| Application | apache | http_server | 2.0.57 | Yes |
| Application | apache | http_server | 2.0.58 | Yes |
| Application | apache | http_server | 2.0.59 | Yes |
| Application | apache | http_server | 2.0.60 | Yes |
| Application | apache | http_server | 2.0.61 | Yes |
| Application | apache | http_server | 2.0.63 | Yes |
| Application | apache | http_server | 2.0.64 | Yes |
| Application | apache | http_server | 2.2.0 | Yes |
| Application | apache | http_server | 2.2.1 | Yes |
| Application | apache | http_server | 2.2.2 | Yes |
| Application | apache | http_server | 2.2.3 | Yes |
| Application | apache | http_server | 2.2.4 | Yes |
| Application | apache | http_server | 2.2.6 | Yes |
| Application | apache | http_server | 2.2.8 | Yes |
| Application | apache | http_server | 2.2.9 | Yes |
| Application | apache | http_server | 2.2.10 | Yes |
| Application | apache | http_server | 2.2.11 | Yes |
| Application | apache | http_server | 2.2.12 | Yes |
| Application | apache | http_server | 2.2.13 | Yes |
| Application | apache | http_server | 2.2.14 | Yes |
| Application | apache | http_server | 2.2.15 | Yes |
| Application | apache | http_server | 2.2.16 | Yes |
| Application | apache | http_server | 2.2.18 | Yes |
| Application | apache | http_server | 2.2.19 | Yes |
| Application | apache | http_server | 2.2.20 | Yes |
| Application | apache | http_server | 2.2.21 | Yes |