Vulnerability Details : CVE-2010-3872
A flaw was found in the mod_fcgid module of httpd. A malformed FastCGI response may result in a stack-based buffer overflow in the modules/fcgid/fcgid_bucket.c file in the fcgid_header_bucket_read() function, resulting in an application crash.
Vulnerability category: Overflow
Exploit prediction scoring system (EPSS) score for CVE-2010-3872
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 18 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3872
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2010-3872
-
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Assigned by: secalert@redhat.com (Secondary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3872
-
http://www.vupen.com/english/advisories/2010/2998
Webmail | OVH- OVHVendor Advisory
-
https://access.redhat.com/security/cve/CVE-2010-3872
CVE-2010-3872- Red Hat Customer Portal
-
http://www.debian.org/security/2010/dsa-2140
Debian -- Page not found
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/63303
Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow CVE-2010-3872 Vulnerability Report
-
http://secunia.com/advisories/42302
Sign inVendor Advisory
-
http://www.vupen.com/english/advisories/2011/0031
Webmail | OVH- OVH
-
https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
49406 – malformed FastCGI response may overwrite heapPatch
-
http://osvdb.org/69275
-
http://secunia.com/advisories/42288
Sign inVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html
[SECURITY] Fedora 13 Update: mod_fcgid-2.3.6-1.fc13
-
http://www.securityfocus.com/bid/44900
Apache 'mod_fcgid' Module Unspecified Stack Buffer Overflow Vulnerability
-
http://www.gossamer-threads.com/lists/apache/announce/391406
Mailing List Archive: [ANNOUNCE] mod_fcgid 2.3.6 is released
-
https://bugzilla.redhat.com/show_bug.cgi?id=2248172
2248172 – (CVE-2010-3872) CVE-2010-3872 httpd: mod_fcgid: stack-based buffer overflow in fcgid_header_bucket_read() in modules/fcgid/fcgid_bucket.c
-
http://secunia.com/advisories/42815
Sign in
-
https://github.com/apache/httpd-mod_fcgid/commit/b1afa70840b4ab4e6fbc12ac8798b2f3ccc336b2
SECURITY: CVE-2010-3872 (cve.mitre.org) · apache/httpd-mod_fcgid@b1afa70 · GitHub
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html
[SECURITY] Fedora 12 Update: mod_fcgid-2.3.6-1.fc12
-
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html
[security-announce] SUSE-SU-2011:0885-1: important: Security update for
-
http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html
[security-announce] openSUSE-SU-2011:0884-1: important: apache2-mod_fcgi
-
http://www.vupen.com/english/advisories/2010/2997
Webmail | OVH- OVHVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html
[SECURITY] Fedora 14 Update: mod_fcgid-2.3.6-1.fc14
Products affected by CVE-2010-3872
- cpe:2.3:a:apache:mod_fcgid:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:mod_fcgid:2.3.3:*:*:*:*:*:*:*