The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
2017-06-20T01:29:00.390
2025-04-20T01:37:25.860
Deferred
CVSSv3.1: 7.5 (HIGH)
AV:N/AC:L/Au:N/C:N/I:N/A:P
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | http_server | 2.2.32 | Yes |
| Application | apache | http_server | 2.4.24 | Yes |
| Application | apache | http_server | 2.4.25 | Yes |
| Application | netapp | clustered_data_ontap | - | Yes |
| Application | netapp | oncommand_unified_manager | - | Yes |
| Application | netapp | storagegrid | - | Yes |
| Operating System | redhat | enterprise_linux_desktop | 7.0 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.2 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.3 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.4 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.5 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.6 | Yes |
| Operating System | redhat | enterprise_linux_eus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_server | 7.0 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.2 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.3 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.4 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.6 | Yes |
| Operating System | redhat | enterprise_linux_server_aus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.2 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.3 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.4 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.6 | Yes |
| Operating System | redhat | enterprise_linux_server_tus | 7.7 | Yes |
| Operating System | redhat | enterprise_linux_workstation | 7.0 | Yes |
| Operating System | debian | debian_linux | 8.0 | Yes |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Application | oracle | secure_global_desktop | 5.3 | Yes |
| Operating System | apple | mac_os_x | < 10.13.1 | Yes |
| Operating System | apple | mac_os_x | < 10.11.6 | Yes |
| Operating System | apple | mac_os_x | < 10.12.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.11.6 | Yes |
| Operating System | apple | mac_os_x | 10.12.6 | Yes |