{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "generator": { "engine": "xmltojsonmjc 1.0" }, "references": {}, "timeline": [ { "time": "2017-05-06", "lang": "eng", "value": "reported" }, { "time": "2017-06-19", "lang": "eng", "value": "public" }, { "time": "2017-06-19", "lang": "eng", "value": "2.4.26 released" }, { "time": "2017-07-11", "lang": "eng", "value": "2.2.34 released" } ], "CNA_private": { "owner": "httpd" }, "CVE_data_meta": { "ASSIGNER": "security@apache.org", "AKA": "", "STATE": "PUBLIC", "DATE_PUBLIC": "2017-06-19", "ID": "CVE-2017-7668", "TITLE": "ap_find_token() Buffer Overread" }, "source": { "defect": [], "advisory": "", "discovery": "UNKNOWN" }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "ap_find_token() Buffer Overread" } ] } ] }, "credit": [ { "lang": "eng", "value": "We would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this issue." } ], "description": { "description_data": [ { "lang": "eng", "value": "The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value." } ] }, "impact": [ { "other": "important" } ], "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Apache Software Foundation", "product": { "product_data": [ { "product_name": "Apache HTTP Server", "version": { "version_data": [ { "version_name": "2.4", "version_affected": "=", "version_value": "2.4.25" }, { "version_name": "2.2", "version_affected": "=", "version_value": "2.2.32" } ] } } ] } } ] } } }