CVE-2013-6438

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/03/2014
Last modified:
12/04/2025

Description

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* 2.2.0 (including) 2.2.27 (excluding)
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* 2.4.1 (including) 2.4.9 (excluding)
cpe:2.3:a:oracle:http_server:10.1.3.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.1.3.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools