CVE-2017-9788

critical Apache
CVSS v3 Base Score
9.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score
49.5%
Exploitation probability in 30 days
Top 2% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
None
Availability
High
Published: July 13, 2017 (3227 days ago)
Last Modified: May 13, 2026
Vendor: Apache
Source: NVD

Description

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.

CWE

CWE-20

Affected Products

apache http serverdebian debian linuxapple mac os xnetapp oncommand unified managernetapp storage automation storeredhat enterprise linux desktopredhat enterprise linux serverredhat enterprise linux server ausredhat enterprise linux server eusredhat enterprise linux server tus

References

🔗 www.debian.org 🔗 www.oracle.com 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 access.redhat.com