CVE-2009-1955

high Apache
CVSS v3 Base Score
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
2.3%
Exploitation probability in 30 days
Top 15% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
None
Availability
High
Published: June 8, 2009 (6184 days ago)
Last Modified: April 23, 2026
Vendor: Apache
Source: NVD

Description

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

CWE

CWE-776

Affected Products

apache apr-utilapple mac os xsuse linux enterprise serverdebian debian linuxcanonical ubuntu linuxfedoraproject fedoraoracle http serverapache http server

References

🔗 lists.apple.com 🔗 lists.opensuse.org 🔗 marc.info 🔗 marc.info 🔗 secunia.com