CVE-2017-7668
Published: 19 June 2017
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
Priority
CVSS 3 base score: 7.5
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
- https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E
- https://ubuntu.com/security/notices/USN-3340-1
- https://ubuntu.com/security/notices/USN-3373-1
- NVD
- Launchpad
- Debian