Home

CVE-2018-1302

Description

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
11.001

Associated Vulnerability

VulnerabilityOS Platform
Update Apache to version 2.4.33Windows
Vulnerabilities CVE-2018-1302 are fixed in Apache 2.4.33Windows
Apache HTTP server (USN-3783-1) apache2-bin_2.4.29-1ubuntu4.4_i386.debLinux
Apache HTTP server (USN-3783-1) apache2-bin_2.4.29-1ubuntu4.4_amd64.debLinux
Update Apache to version 2.4.33 (For Linux)Linux
Httpd update (ELSA-2024-3121) httpd-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Httpd-devel update (ELSA-2024-3121) httpd-devel-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Httpd-filesystem update (ELSA-2024-3121) httpd-filesystem-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpmLinux
Httpd-manual update (ELSA-2024-3121) httpd-manual-2.4.37-64.module+el8.10.0+90271+3bc76a16.noarch.rpmLinux
Httpd-tools update (ELSA-2024-3121) httpd-tools-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Mod_http2 update (ELSA-2024-3121) mod_http2-1.15.7-10.module+el8.10.0+90327+96b8ea28.x86_64.rpmLinux
Mod_ldap update (ELSA-2024-3121) mod_ldap-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Mod_md update (ELSA-2024-3121) mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.x86_64.rpmLinux
Mod_proxy_html update (ELSA-2024-3121) mod_proxy_html-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Mod_session update (ELSA-2024-3121) mod_session-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux
Mod_ssl update (ELSA-2024-3121) mod_ssl-2.4.37-64.module+el8.10.0+90271+3bc76a16.x86_64.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234