5 - CVE-2010-2791

Executive Summary

Informations
Name	CVE-2010-2791	First vendor Publication	2010-08-05
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2791

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-200	Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22131

Oval ID:	oval:org.mitre.oval:def:22131
Title:	RHSA-2010:0659: httpd security and bug fix update (Moderate)
Description:	mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
Family:	unix	Class:	patch
Reference(s):	RHSA-2010:0659-01 CESA-2010:0659 CVE-2010-1452 CVE-2010-2791	Version:	29
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	httpd
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages section httpd-manual is earlier than 0:2.2.3-43.el5_5.3 AND httpd-devel is earlier than 0:2.2.3-43.el5_5.3 AND mod_ssl is earlier than 0:2.2.3-43.el5_5.3 AND httpd is earlier than 0:2.2.3-43.el5_5.3

Definition Id: oval:org.mitre.oval:def:22935

Oval ID:	oval:org.mitre.oval:def:22935
Title:	ELSA-2010:0659: httpd security and bug fix update (Moderate)
Description:	mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. NOTE: this is the same issue as CVE-2010-2068, but for a different OS and set of affected versions.
Family:	unix	Class:	patch
Reference(s):	ELSA-2010:0659-01 CVE-2010-1452 CVE-2010-2791	Version:	13
Platform(s):	Oracle Linux 5	Product(s):	httpd
Definition Synopsis:
Oracle Linux 5.x rpm test httpd-manual is earlier than 0:2.2.3-43.el5_5.3 AND httpd-devel is earlier than 0:2.2.3-43.el5_5.3 AND mod_ssl is earlier than 0:2.2.3-43.el5_5.3 AND httpd is earlier than 0:2.2.3-43.el5_5.3

Definition Id: oval:org.mitre.oval:def:27980

Oval ID:	oval:org.mitre.oval:def:27980
Title:	DEPRECATED: ELSA-2010-0659 -- httpd security and bug fix update (moderate)
Description:	[2.2.3-43.0.1.el5_5.3 ] - replace index.html with Oracle's index page oracle_index.html - update vstring and distro in specfile [2.2.3-43.3] - mod_ssl: improved fix for SSLRequire's OID() function (#625452) [2.2.3-43.2] - add security fixes for CVE-2010-1452, CVE-2010-2791 (#623210) - mod_deflate: rebase to 2.2.15 (#625435) - stop multiple invocations of filter init functions (#625451)
Family:	unix	Class:	patch
Reference(s):	ELSA-2010-0659 CVE-2010-1452 CVE-2010-2791	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	httpd
Definition Synopsis:
Oracle Linux 5.x Packages match section httpd is earlier than 0:2.2.3-43.0.1.el5_5.3 AND httpd-devel is earlier than 0:2.2.3-43.0.1.el5_5.3 AND httpd-manual is earlier than 0:2.2.3-43.0.1.el5_5.3 AND mod_ssl is earlier than 0:2.2.3-43.0.1.el5_5.3

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Http Server cpe:2.3:a:apache:http_server:2.2.9:::::::*	1

OpenVAS Exploits

Date	Description
2012-08-10	Name : Gentoo Security Advisory GLSA 201206-25 (apache) File : nvt/glsa_201206_25.nasl
2010-10-19	Name : Apache 'mod_proxy_http' 2.2.9 for Unix Timeout Handling Information Disclosur... File : nvt/gb_apache_42102.nasl
2010-09-07	Name : RedHat Update for httpd RHSA-2010:0659-01 File : nvt/gb_RHSA-2010_0659-01_httpd.nasl
2010-08-20	Name : Mandriva Update for apache MDVSA-2010:153 (apache) File : nvt/gb_mandriva_MDVSA_2010_153.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
65654	Apache HTTP Server mod_proxy_http mod_proxy_http.c Timeout Detection Weakness...

Nessus® Vulnerability Scanner

Date	Description
2015-12-30	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL23332326.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2013-06-29	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100830_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-06-25	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-25.nasl - Type : ACT_GATHER_INFO
2012-04-20	Name : The remote web server is affected by multiple vulnerabilities. File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO
2010-08-31	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0659.nasl - Type : ACT_GATHER_INFO
2010-08-17	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-153.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 23:07:53	Multiple Updates
2024-11-28 12:22:29	Multiple Updates
2023-11-07 21:47:34	Multiple Updates
2023-02-13 09:29:09	Multiple Updates
2021-06-06 17:23:02	Multiple Updates
2021-06-03 13:23:13	Multiple Updates
2021-03-30 21:23:09	Multiple Updates
2021-03-30 17:22:48	Multiple Updates
2020-05-23 00:26:10	Multiple Updates
2019-08-27 12:03:30	Multiple Updates
2017-08-17 09:23:04	Multiple Updates
2016-06-29 00:14:00	Multiple Updates
2015-12-31 13:26:02	Multiple Updates
2014-02-17 10:56:34	Multiple Updates
2013-10-11 13:23:06	Multiple Updates
2013-05-10 23:29:23	Multiple Updates
2013-04-18 13:19:47	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	3
CPE ID(s)	1
Sources(s)	21
osvdb(s)	1
Openvas Exploit(s)	4
Nessus® Exploit(s)	8

	Related
10	MDVSA-2013:150
10	HPSBMU02764 SSR...
7.8	GLSA-201206-25
7.5	CVE-2021-31618
5.5	CVE-2020-13938
5	RHSA-2010:0659
5	MDVSA-2010:153
5	CVE-2010-2068
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 8 more Alert(s)

5 - CVE-2010-2791

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU