CVE-2011-0419

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Published: May 16, 2011
Updated: Apr 13, 2023
CVE: CVE-2011-0419
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
netbsd / netbsd	5.1	5.1.x
google / android	-	-
freebsd / freebsd	-	-
openbsd / openbsd	4.8	4.8.x
apple / mac_os_x	10.6.0	10.6.0.x
oracle / solaris	10	10.x
debian / debian_linux	5.0	5.0.x
debian / debian_linux	7.0	7.0.x
debian / debian_linux	6.0	6.0.x
suse / linux_enterprise_server	10-sp3	10-sp3.x
apache / portable_runtime	-	1.4.3
apache / http_server	2.0.0	2.0.65.x
apache / http_server	2.2.0	2.2.18.x

Vulnerability Database

289,599

CVE-2011-0419