CVE-2012-0053

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.

Published: Jan 28, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-0053
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
apache / http_server	2.0.0	2.0.65
apache / http_server	2.2.0	2.2.22
debian / debian_linux	5.0	5.0.x
debian / debian_linux	7.0	7.0.x
debian / debian_linux	6.0	6.0.x
opensuse / opensuse	11.4	11.4.x
suse / linux_enterprise_software_development_kit	10-sp4	10-sp4.x
suse / linux_enterprise_server	10-sp4	10-sp4.x
redhat / enterprise_linux_desktop	6.0	6.0.x
redhat / enterprise_linux_server	6.0	6.0.x
redhat / enterprise_linux_workstation	6.0	6.0.x
redhat / storage	2.0	2.0.x
redhat / enterprise_linux_eus	6.2	6.2.x
redhat / jboss_enterprise_web_server	1.0.0	1.0.0.x

Vulnerability Database

289,599

CVE-2012-0053