CVE-2011-1176

The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857	Issue Tracking Patch Third Party Advisory
http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html	Patch Third Party Advisory
http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html	Release Notes Third Party Advisory
http://openwall.com/lists/oss-security/2011/03/20/1	Mailing List Third Party Advisory
http://openwall.com/lists/oss-security/2011/03/21/13	Mailing List Third Party Advisory
http://www.debian.org/security/2011/dsa-2202	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2011:057	Third Party Advisory
http://www.securityfocus.com/bid/46953	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2011/0748	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0749	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0824	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/66248	Third Party Advisory VDB Entry
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857	Issue Tracking Patch Third Party Advisory
http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html	Patch Third Party Advisory
http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html	Release Notes Third Party Advisory
http://openwall.com/lists/oss-security/2011/03/20/1	Mailing List Third Party Advisory
http://openwall.com/lists/oss-security/2011/03/21/13	Mailing List Third Party Advisory
http://www.debian.org/security/2011/dsa-2202	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2011:057	Third Party Advisory
http://www.securityfocus.com/bid/46953	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2011/0748	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0749	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0824	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/66248	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:mpm-itk_project:mpm-itk:2.2.11-01:::::::*
	cpe:2.3:a:mpm-itk_project:mpm-itk:2.2.11-02:::::::*

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:5.0:::::::*
	cpe:2.3:o:debian:debian_linux:6.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*

History

21 Nov 2024, 01:25

Type	Values Removed	Values Added
References	~~() http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857 - Issue Tracking, Patch, Third Party Advisory~~	() http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=618857 - Issue Tracking, Patch, Third Party Advisory
References	~~() http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html - Patch, Third Party Advisory~~	() http://lists.err.no/pipermail/mpm-itk/2011-March/000393.html - Patch, Third Party Advisory
References	~~() http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html - Release Notes, Third Party Advisory~~	() http://lists.err.no/pipermail/mpm-itk/2011-March/000394.html - Release Notes, Third Party Advisory
References	~~() http://openwall.com/lists/oss-security/2011/03/20/1 - Mailing List, Third Party Advisory~~	() http://openwall.com/lists/oss-security/2011/03/20/1 - Mailing List, Third Party Advisory
References	~~() http://openwall.com/lists/oss-security/2011/03/21/13 - Mailing List, Third Party Advisory~~	() http://openwall.com/lists/oss-security/2011/03/21/13 - Mailing List, Third Party Advisory
References	~~() http://www.debian.org/security/2011/dsa-2202 - Third Party Advisory~~	() http://www.debian.org/security/2011/dsa-2202 - Third Party Advisory
References	~~() http://www.mandriva.com/security/advisories?name=MDVSA-2011:057 - Third Party Advisory~~	() http://www.mandriva.com/security/advisories?name=MDVSA-2011:057 - Third Party Advisory
References	~~() http://www.securityfocus.com/bid/46953 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/46953 - Third Party Advisory, VDB Entry
References	~~() http://www.vupen.com/english/advisories/2011/0748 - Third Party Advisory~~	() http://www.vupen.com/english/advisories/2011/0748 - Third Party Advisory
References	~~() http://www.vupen.com/english/advisories/2011/0749 - Third Party Advisory~~	() http://www.vupen.com/english/advisories/2011/0749 - Third Party Advisory
References	~~() http://www.vupen.com/english/advisories/2011/0824 - Third Party Advisory~~	() http://www.vupen.com/english/advisories/2011/0824 - Third Party Advisory
References	~~() https://exchange.xforce.ibmcloud.com/vulnerabilities/66248 - Third Party Advisory, VDB Entry~~	() https://exchange.xforce.ibmcloud.com/vulnerabilities/66248 - Third Party Advisory, VDB Entry

Information

Published : 2011-03-29 18:55

Updated : 2025-04-11 00:51

NVD link : CVE-2011-1176

Mitre link : CVE-2011-1176

CVE.ORG link : CVE-2011-1176

JSON object : View

Products Affected

mpm-itk_project

mpm-itk

debian

debian_linux

apache

http_server

CWE

NVD-CWE-noinfo

4.3 /10