Executive Summary

Informations
NameCVE-2013-1896First vendor Publication2013-07-10
VendorCveLast vendor Modification2017-09-18

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896

CWE : Common Weakness Enumeration

%idName
100 %CWE-264Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21205
 
Oval ID: oval:org.mitre.oval:def:21205
Title: RHSA-2013:1156: httpd security update (Moderate)
Description: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Family: unix Class: patch
Reference(s): RHSA-2013:1156-01
CESA-2013:1156
CVE-2013-1896
Version: 4
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19747
 
Oval ID: oval:org.mitre.oval:def:19747
Title: HP-UX Apache Web Server, Remote Execution of Arbitrary Code, Denial of Service (DoS)
Description: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Family: unix Class: vulnerability
Reference(s): CVE-2013-1896
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18835
 
Oval ID: oval:org.mitre.oval:def:18835
Title: Apache HTTP vulnerability before 2.2.25 in VisualSVN Server (CVE-2013-1896)
Description: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1896
Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18274
 
Oval ID: oval:org.mitre.oval:def:18274
Title: USN-1903-1 -- apache2 vulnerabilities
Description: Several security issues were fixed in the Apache HTTP Server.
Family: unix Class: patch
Reference(s): USN-1903-1
CVE-2013-1862
CVE-2013-1896
Version: 7
Platform(s): Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23801
 
Oval ID: oval:org.mitre.oval:def:23801
Title: ELSA-2013:1156: httpd security update (Moderate)
Description: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Family: unix Class: patch
Reference(s): ELSA-2013:1156-01
CVE-2013-1896
Version: 6
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23320
 
Oval ID: oval:org.mitre.oval:def:23320
Title: DEPRECATED: ELSA-2013:1156: httpd security update (Moderate)
Description: mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.
Family: unix Class: patch
Reference(s): ELSA-2013:1156-01
CVE-2013-1896
Version: 7
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): httpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26836
 
Oval ID: oval:org.mitre.oval:def:26836
Title: SUSE-SU-2014:1082-1 -- Security update for apache2
Description: This apache2 update fixes the following security issues: * log_cookie mod_log_config.c remote denial of service (CVE-2014-0098, bnc#869106) * mod_dav denial of service (CVE-2013-6438, bnc#869105) * mod_cgid denial of service (CVE-2014-0231, bnc#887768) * mod_status heap-based buffer overflow (CVE-2014-0226, bnc#887765) * mod_rewrite: escape logdata to avoid terminal escapes (CVE-2013-1862, bnc#829057) * mod_dav: segfault in merge request (CVE-2013-1896, bnc#829056) Security Issues: * CVE-2014-0098 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098> * CVE-2013-6438 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438> * CVE-2014-0226 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226> * CVE-2014-0231 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231> * CVE-2013-1862 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862> * CVE-2013-1896 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1082-1
CVE-2014-0098
CVE-2013-6438
CVE-2014-0231
CVE-2014-0226
CVE-2013-1862
CVE-2013-1896
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
Product(s): apache2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27412
 
Oval ID: oval:org.mitre.oval:def:27412
Title: DEPRECATED: ELSA-2013-1156 -- httpd security update (moderate)
Description: [2.2.15-29.0.1.el6_4] - replace index.html with Oracle's index page oracle_index.html update vstring in specfile [2.2.15-29] - mod_dav: add security fix for CVE-2013-1896 (#991368)
Family: unix Class: patch
Reference(s): ELSA-2013-1156
CVE-2013-1896
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): httpd
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application187

Information Assurance Vulnerability Management (IAVM)

DateDescription
2015-07-16IAVM : 2015-A-0149 - Multiple Vulnerabilities in Juniper Networks and Security Manager(NSM) Appliance
Severity : Category I - VMSKEY : V0061101
2014-02-27IAVM : 2014-A-0030 - Apple Mac OS X Security Update 2014-001
Severity : Category I - VMSKEY : V0044547
2013-09-12IAVM : 2013-A-0177 - Multiple Vulnerabilities in Red Hat JBoss Enterprise Application Platform
Severity : Category I - VMSKEY : V0040288
2013-07-25IAVM : 2013-A-0146 - Multiple Security Vulnerabilities in Apache HTTP Server
Severity : Category I - VMSKEY : V0039573

Snort® IPS/IDS

DateDescription
2017-12-13Apache HTTP Server possible mod_dav.c remote denial of service vulnerability ...
RuleID : 44808 - Revision : 2 - Type : INDICATOR-COMPROMISE

Nessus® Vulnerability Scanner

DateDescription
2015-07-20Name : The remote host is affected by multiple vulnerabilities.
File : juniper_nsm_jsa10685.nasl - Type : ACT_GATHER_INFO
2015-07-20Name : The remote host is affected by multiple vulnerabilities.
File : juniper_nsm_jsa10685_cred.nasl - Type : ACT_GATHER_INFO
2015-05-20Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-1082-1.nasl - Type : ACT_GATHER_INFO
2015-01-19Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_apache_20131015.nasl - Type : ACT_GATHER_INFO
2014-12-22Name : The remote device is affected by multiple vulnerabilities.
File : juniper_space_jsa10627.nasl - Type : ACT_GATHER_INFO
2014-12-16Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-770.nasl - Type : ACT_GATHER_INFO
2014-06-26Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1133.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-637.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-638.nasl - Type : ACT_GATHER_INFO
2014-02-25Name : The remote host is missing a Mac OS X update that fixes a certificate validat...
File : macosx_10_9_2.nasl - Type : ACT_GATHER_INFO
2014-02-25Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_SecUpd2014-001.nasl - Type : ACT_GATHER_INFO
2014-01-31Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-1209.nasl - Type : ACT_GATHER_INFO
2014-01-20Name : The remote application server is potentially affected by multiple vulnerabili...
File : websphere_7_0_0_31.nasl - Type : ACT_GATHER_INFO
2013-12-05Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_5_5_1.nasl - Type : ACT_GATHER_INFO
2013-09-24Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201309-12.nasl - Type : ACT_GATHER_INFO
2013-09-20Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_6_1_0_47.nasl - Type : ACT_GATHER_INFO
2013-09-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1207.nasl - Type : ACT_GATHER_INFO
2013-09-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1208.nasl - Type : ACT_GATHER_INFO
2013-08-27Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_apache2-130730.nasl - Type : ACT_GATHER_INFO
2013-08-23Name : The remote application server may be affected by multiple vulnerabilities.
File : websphere_8_0_0_7.nasl - Type : ACT_GATHER_INFO
2013-08-20Name : The remote Fedora host is missing a security update.
File : fedora_2013-13922.nasl - Type : ACT_GATHER_INFO
2013-08-14Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1156.nasl - Type : ACT_GATHER_INFO
2013-08-14Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1156.nasl - Type : ACT_GATHER_INFO
2013-08-14Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130813_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-08-14Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1156.nasl - Type : ACT_GATHER_INFO
2013-08-10Name : The remote Fedora host is missing a security update.
File : fedora_2013-13994.nasl - Type : ACT_GATHER_INFO
2013-08-07Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2013-218-02.nasl - Type : ACT_GATHER_INFO
2013-07-23Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_4_6.nasl - Type : ACT_GATHER_INFO
2013-07-22Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_ca4d63fbf15c11e2b18320cf30e32f6d.nasl - Type : ACT_GATHER_INFO
2013-07-16Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1903-1.nasl - Type : ACT_GATHER_INFO
2013-07-16Name : The remote web server may be affected by multiple cross-site scripting vulner...
File : apache_2_2_25.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-193.nasl - Type : ACT_GATHER_INFO
2013-07-06Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_f3d24aeee5ad11e2b18320cf30e32f6d.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
BID http://www.securityfocus.com/bid/61129
CISCO http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1896
CONFIRM http://support.apple.com/kb/HT6150
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=...
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?vie...
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.apache.org/dist/httpd/Announcement2.2.html
https://httpd.apache.org/security/vulnerabilities_24.html
HP https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispla...
REDHAT http://rhn.redhat.com/errata/RHSA-2013-1156.html
http://rhn.redhat.com/errata/RHSA-2013-1207.html
http://rhn.redhat.com/errata/RHSA-2013-1208.html
http://rhn.redhat.com/errata/RHSA-2013-1209.html
SUSE http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00029.html
http://lists.opensuse.org/opensuse-updates/2013-08/msg00030.html
UBUNTU http://www.ubuntu.com/usn/USN-1903-1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
DateInformations
2018-09-22 12:04:50
  • Multiple Updates
2018-04-19 12:04:09
  • Multiple Updates
2017-09-19 09:25:57
  • Multiple Updates
2017-01-07 09:25:12
  • Multiple Updates
2016-09-30 01:04:11
  • Multiple Updates
2016-06-28 19:25:44
  • Multiple Updates
2016-04-26 23:02:32
  • Multiple Updates
2015-10-18 17:22:18
  • Multiple Updates
2015-07-24 13:29:03
  • Multiple Updates
2015-05-21 13:30:20
  • Multiple Updates
2015-01-21 13:26:07
  • Multiple Updates
2014-12-23 13:26:18
  • Multiple Updates
2014-12-17 13:25:17
  • Multiple Updates
2014-06-27 13:26:12
  • Multiple Updates
2014-06-14 13:35:09
  • Multiple Updates
2014-03-06 13:22:12
  • Multiple Updates
2014-02-28 17:19:12
  • Multiple Updates
2014-02-26 13:21:13
  • Multiple Updates
2014-02-17 11:18:35
  • Multiple Updates
2013-12-05 17:19:57
  • Multiple Updates
2013-11-11 12:40:21
  • Multiple Updates
2013-11-04 21:26:42
  • Multiple Updates
2013-10-11 13:26:02
  • Multiple Updates
2013-10-01 17:19:35
  • Multiple Updates
2013-09-26 21:22:40
  • Multiple Updates
2013-08-30 17:22:42
  • Multiple Updates
2013-08-23 13:19:12
  • Multiple Updates
2013-08-22 17:19:54
  • Multiple Updates
2013-07-11 21:27:35
  • Multiple Updates
2013-07-11 13:30:06
  • First insertion