CVE Details for CVE: CVE-2002-0842
Summary
Format string vulnerability in certain third party modifications to mod_dav for logging bad gateway messages (e.g. Oracle9i Application Server 9.0.2) allows remote attackers to execute arbitrary code via a destination URI that forces a "502 Bad Gateway" response, which causes the format string specifiers to be returned from dav_lookup_uri() in mod_dav.c, which is then used in a call to ap_log_rerror().
| Timestamps | |
|---|---|
| Last major update | 18-10-2016 - 02:22 |
| Published | 03-03-2003 - 05:00 |
| Last modified | 18-10-2016 - 02:22 |
References
- http://www.iss.net/security_center/static/11330.php
- http://www.kb.cert.org/vuls/id/849993
- http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf
- http://www.nextgenss.com/advisories/ora-appservfmtst.txt
- http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0076.html
- http://www.cert.org/advisories/CA-2003-05.html
- http://www.ciac.org/ciac/bulletins/n-046.shtml
- http://www.securityfocus.com/bid/6846
- http://marc.info/?l=bugtraq&m=104549708626309&w=2
- http://marc.info/?l=bugtraq&m=104560577227981&w=2
- http://marc.info/?l=bugtraq&m=104559446010858&w=2
CWE
CVSS
Base
7.5
Impact
6.4
Exploitability
10.0
Access
| Vector | Complexity | Authentication |
|---|---|---|
| NETWORK | LOW | NONE |
Impact
| Confidentiality | Integrity | Availability |
|---|---|---|
| PARTIAL | PARTIAL | PARTIAL |
CVSS3
None
VIA4 references
cvss-vector
via4
refmap
via4
| bid | 6846 |
| bugtraq | |
| cert | CA-2003-05 |
| cert-vn | VU#849993 |
| ciac | N-046 |
| confirm | http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf |
| fulldisc | 20030218 Re: CSSA-2003-007.0 Advisory withdrawn. |
| misc | http://www.nextgenss.com/advisories/ora-appservfmtst.txt |
| ntbugtraq | 20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d) |
| vulnwatch | 20030217 Oracle9i Application Server Format String Vulnerability (#NISR16022003d) |
| xf | oracle-appserver-davpublic-dos(11330) |