CVE-2008-2364

Description

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.

Category

5.0
CVSS
Severity: Medium
CVSS 2.0 •
EPSS 2.06% Top 20%
Vendor Advisory opensuse.org Vendor Advisory marc.info Vendor Advisory sun.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory ubuntu.com Vendor Advisory hp.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory gentoo.org Vendor Advisory marc.info Vendor Advisory mandriva.com Vendor Advisory redhat.com Vendor Advisory apple.com Vendor Advisory mandriva.com Vendor Advisory ibm.com Vendor Advisory secunia.com Vendor Advisory apache.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html vendor advisory mailing list third party advisory
http://secunia.com/advisories/34259 third party advisory not applicable
http://secunia.com/advisories/34219 third party advisory not applicable
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11713 signature third party advisory vdb entry
http://secunia.com/advisories/31026 third party advisory not applicable
http://marc.info/?l=bugtraq&m=125631037611762&w=2 vendor advisory mailing list third party advisory issue tracking
http://secunia.com/advisories/31651 third party advisory not applicable
http://sunsolve.sun.com/search/document.do?assetkey=1-26-247666-1 vendor advisory broken link
http://www.securityfocus.com/bid/31681 third party advisory vdb entry
http://secunia.com/advisories/32838 third party advisory not applicable
http://www.securityfocus.com/archive/1/498567/100/0/threaded mailing list third party advisory vdb entry
http://secunia.com/advisories/31904 third party advisory not applicable
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html third party advisory
http://rhn.redhat.com/errata/RHSA-2008-0967.html third party advisory vendor advisory
http://www.securityfocus.com/bid/29653 patch third party advisory vdb entry
http://secunia.com/advisories/34418 third party advisory not applicable
http://secunia.com/advisories/30621 vendor advisory third party advisory not applicable
http://secunia.com/advisories/32685 third party advisory not applicable
https://exchange.xforce.ibmcloud.com/vulnerabilities/42987 third party advisory vdb entry
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html vendor advisory mailing list third party advisory
http://secunia.com/advisories/31416 third party advisory not applicable
http://www.securitytracker.com/id?1020267 broken link third party advisory vdb entry
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154 patch vendor advisory
http://www.ubuntu.com/usn/USN-731-1 third party advisory vendor advisory
http://www.vupen.com/english/advisories/2009/0320 vdb entry permissions required
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539432 vendor advisory broken link
http://www-01.ibm.com/support/docview.wss?uid=swg27008517 third party advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9577 signature third party advisory vdb entry
http://secunia.com/advisories/32222 third party advisory not applicable
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6084 signature third party advisory vdb entry
http://www.redhat.com/support/errata/RHSA-2008-0966.html third party advisory vendor advisory
http://secunia.com/advisories/33156 third party advisory not applicable
http://secunia.com/advisories/33797 third party advisory not applicable
http://www.securityfocus.com/archive/1/494858/100/0/threaded mailing list third party advisory vdb entry
http://secunia.com/advisories/31404 third party advisory not applicable
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00055.html vendor advisory mailing list third party advisory
http://security.gentoo.org/glsa/glsa-200807-06.xml third party advisory vendor advisory
http://www.vupen.com/english/advisories/2008/2780 vdb entry permissions required
http://marc.info/?l=bugtraq&m=123376588623823&w=2 vendor advisory mailing list third party advisory issue tracking
http://www.mandriva.com/security/advisories?name=MDVSA-2008:237 vendor advisory broken link
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00153.html vendor advisory mailing list third party advisory
http://www.vupen.com/english/advisories/2008/1798 vdb entry permissions required
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html vendor advisory broken link mailing list
http://support.apple.com/kb/HT3216 broken link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:195 vendor advisory broken link
http://www-1.ibm.com/support/docview.wss?uid=swg1PK67579 third party advisory vendor advisory
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328 broken link
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r7dd6be4dc38148704f2edafb44a8712abaa3a2be120d6c3314d55919%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r84d043c2115176958562133d96d851495d712aa49da155d81f6733be%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r8c9983f1172a3415f915ddb7e14de632d2d0c326eb1285755a024165%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E mailing list

Frequently Asked Questions

What is the severity of CVE-2008-2364?
CVE-2008-2364 has been scored as a medium severity vulnerability.
How to fix CVE-2008-2364?
To fix CVE-2008-2364, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2008-2364 being actively exploited in the wild?
It is possible that CVE-2008-2364 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.