CVE-2012-0053
First published: Fri Jan 27 2012(Updated: )
A flaw was found in the default error response for status code 400. This could be used by an attacker to expose "httpOnly" cookies, when no custom ErrorDocument was specified. This affects all versions of Apache from 2.2.0 up to and including 2.2.21. It will be fixed upstream in 2.2.22 (via r1235454 [1]). [1] <a href="http://svn.apache.org/viewvc?view=revision&revision=1235454">http://svn.apache.org/viewvc?view=revision&revision=1235454</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.2.22 | 2.2.22 |
| Apache HTTP server | >=2.0.0<2.0.65 | |
| Apache HTTP server | >=2.2.0<2.2.22 | |
| Debian Debian Linux | =5.0 | |
| Debian Debian Linux | =6.0 | |
| Debian Debian Linux | =7.0 | |
| openSUSE openSUSE | =11.4 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =10-sp4 | |
| Redhat Storage | =2.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Eus | =6.2 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Jboss Enterprise Web Server | =1.0.0 | |
| Redhat Enterprise Linux | =5.0 | |
| Redhat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://svn.apache.org/viewvc?view=revision&revision=1235454
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785070
- https://access.redhat.com/security/cve/CVE-2012-0053
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c0
- http://fd.the-wildcat.de/apache_e36a9cf46c.php
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c4
- https://rhn.redhat.com/errata/RHSA-2012-0128.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c11
- https://rhn.redhat.com/errata/RHSA-2012-0323.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c12
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c15
- https://access.redhat.com/support/policy/updates/errata/
- https://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?view=diff&r1=1237164&r2=1237165&pathrev=1237165
- https://rhn.redhat.com/errata/RHSA-2012-0543.html
- https://rhn.redhat.com/errata/RHSA-2012-0542.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=785069#c5
- http://httpd.apache.org/docs/2.2/mod/core.html#errordocument
- https://bugzilla.redhat.com/show_bug.cgi?id=785069
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://httpd.apache.org/security/vulnerabilities_22.html
- http://kb.juniper.net/JSA10585
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00002.html
- http://marc.info/?l=bugtraq&m=133294460209056&w=2
- http://marc.info/?l=bugtraq&m=133494237717847&w=2
- http://marc.info/?l=bugtraq&m=133951357207000&w=2
- http://marc.info/?l=bugtraq&m=136441204617335&w=2
- http://rhn.redhat.com/errata/RHSA-2012-0128.html
- http://rhn.redhat.com/errata/RHSA-2012-0542.html
- http://rhn.redhat.com/errata/RHSA-2012-0543.html
- http://secunia.com/advisories/48551
- http://support.apple.com/kb/HT5501
- http://www.debian.org/security/2012/dsa-2405
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:012
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
- http://www.securityfocus.com/bid/51706
- https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r1d201e3da31a2c8aa870c8314623caef7debd74a13d0f25205e26f15@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5f9c22f9c28adbd9f00556059edc7b03a5d5bb71d4bb80257c0d34e4@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rb9c9f42dafa25d2f669dac2a536a03f2575bc5ec1be6f480618aee10@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
- collector/redhat-bugzilla
- alias/CVE-2012-0053
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/author
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.0.0
- version/apache http server/2.2.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/5.0
- version/debian debian linux/6.0
- version/debian debian linux/7.0
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/11.4
- vendor/suse
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/10-sp4
- vendor/redhat
- canonical/redhat storage
- version/redhat storage/2.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/6.2
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- canonical/redhat jboss enterprise web server
- version/redhat jboss enterprise web server/1.0.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0
- version/redhat enterprise linux/6.0