Cisco Bug: CSCup45495 - MSE Apache HTTP Server and HTTP Trace vulnerabilities
Jan 30, 2020
- Cisco Mobility Services Engine
Known Affected Releases
Symptom: Cisco Mobility Services Engine contains a version of Apache HTTPD that is affected by the vulnerability identified by the following Common Vulnerability and Exposures (CVE) ID: CVE-2012-0053 protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. This has been classifed by the vendor as having a CVSS v2 Base Score of 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) This bug was opened to address the potential impact on this product. The bug fix will include as well further hardening of the http server, by disabling the TRACE method. Conditions: Device with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases