Zero-day Vulnerability Database

Change view

Zero-day vulnerabilities discovered: 4

Denial of service in Apache Struts
CVE-2014-0050

Infinite loop

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to boundary error when handling Content-Type HTTP header for multipart requests. By sending a specially crafted Content-Type header, containing 4092 characters in "boundary" field, a remote attacker can cause the application to enter into an infinite loop.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

On April 24, 2014, the Apache Software Foundation (ASF) released an advisory warning that a patch issued in March, 2 for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerabilities (CVE-2014-0094 or CVE-2014-0050).

Software: Apache Struts

On April 24, 2014, the Apache Software Foundation (ASF) released an advisory warning that a patch issued in March, 2 for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerabilities (CVE-2014-0094 or CVE-2014-0050).

Denial of service in Apache HTTP Server
CVE-2011-3192

Resource exhaustion

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to an error in the ByteRange filter when processing malicious requests in Apache HTTP server. A remote attacker can send a specially crafted HTTP request containing an overly large Range header, exhaust all available memory resources and trigger the application to crash.

Successful exploitation of the vulnerability results in denial service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability is known as "Apache Killer".

Software: Apache HTTP Server

The vulnerability is known as "Apache Killer".

Denial of service in Apache Subversion
CVE-2011-1752

Null pointer dereference

The vulnerability allows a remote attacker to cause DoS conditions on the target system.

The weakness exists due to NULL pointer dereference in the mod_dav_svn module when processing baselined WebDAV resources. A remote attacker can create a specially crafted request, send it to the victim and cause the Subversion server to crash.

Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by Joe Schaefer.

Software: Subversion

The vulnerability was discovered by Joe Schaefer.

Remote code execution in Apache OpenOffice
CVE-2009-0259

Memory corruption

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in the Word processor. A remote attacker can create a specially crafted .doc, .wri, or .rtf Word 97 file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.
i

The vulnerability was discovered by Jan Lieskovsky.
Exploited in the wild in December 2008.

Software: OpenOffice

The vulnerability was discovered by Jan Lieskovsky.
Exploited in the wild in December 2008.