一、 漏洞 CVE-2018-8011 基础信息
漏洞信息
# mod_md通过特制的请求造成核心转储从而导致拒绝服务漏洞
## 概述
通过精心设计的HTTP请求,`mod_md`挑战处理程序会解引用空指针,导致子进程崩溃。这可能会被用于对服务器进行拒绝服务(DoS)攻击。
## 影响版本
- 受影响版本:2.4.33
- 修复版本:2.4.34
## 细节
精心设计的HTTP请求会导致`mod_md`挑战处理程序解引用空指针,从而导致子进程崩溃。
## 影响
这种漏洞可以使攻击者通过DoS攻击来使服务器崩溃。
神龙判断
是否为 Web 类漏洞: 是
判断理由:
是。这个漏洞是由于mod_md模块在处理特定构造的HTTP请求时,会错误地解除引用一个空指针,进而导致子进程崩溃。攻击者可以通过发送特别构造的请求来利用这个漏洞,造成服务拒绝(DoS),影响服务器的正常运行。此问题在Apache HTTP Server 2.4.34版本中已修复,而2.4.33及之前版本受影响。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
mod_md, DoS via Coredumps on specially crafted requests
来源:美国国家漏洞数据库 NVD
漏洞描述信息
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache HTTP Server 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache HTTP Server是美国阿帕奇(Apache)软件基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.33版本中存在安全漏洞。攻击者可通过发送特制的HTTP请求利用该漏洞造成拒绝服务(空指针逆向引用和段错误)。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2018-8011 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33) | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2018/CVE-2018-8011.yaml | POC详情 |
三、漏洞 CVE-2018-8011 的情报信息
- https://security.netapp.com/advisory/ntap-20180926-0007/x_refsource_CONFIRM
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011x_refsource_CONFIRM
- http://www.securitytracker.com/id/1041401vdb-entryx_refsource_SECTRACK
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
标题: svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/-Apache Mail Archives -- 🔗来源链接
标签:mailing-listx_refsource_MLIST
神龙速读:- **CVE List:** The screenshot lists multiple CVEs (Common Vulnerabilities and Exposures) affecting various versions of Apache HTTP Server 2.4. Each CVE is accompanied by details such as: - CVE ID (e.g., CVE-2020-11287) - Severity (e.g., important, moderate, low) - Description of the vulnerability and its impact - Affected versions (e.g., Apache HTTP Server 2.4.9 to 2.4.33) - Mitigation or fix details - **Vulnerability Details:** Each vulnerability has a detailed description explaining the flaw, its potential impact, and the affected HTTP Server versions. For example: - **CVE-2020-11287:** Important severity, affecting Apache HTTP Server 2.4.9 to 2.4.33. It describes a crash when using an `Accept-Language` value of 3 characters with the `AuthLDAPCharsetConfig` directive. - **CVE-2020-11291:** Moderate severity, affecting Apache HTTP Server 2.4.32 to 2.4.34. It describes a memory leak in the openssl engine when handling certain client certificates. - **Affected Versions:** The screenshot specifies the exact versions of Apache HTTP Server that are impacted by each vulnerability, allowing users to determine if their server is affected. - **Fixes and Updates:** For each vulnerability, the screenshot provides information on the release that includes the fix, enabling users to update their servers accordingly. - **Severity Ratings:** Each CVE is tagged with a severity level (important, moderate, low), helping users prioritize which vulnerabilities to address first. - **Additional Notes:** The screenshot includes acknowledgments for individuals or organizations that discovered and reported the vulnerabilities, encouraging a collaborative approach to improving security.![svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/-Apache Mail Archives](https://cvepdf.imfht.com:2443//ti_screenshot/2025-11-10/screenshot-full-2025-11-10T21-18-01.472Z-ae7e7732b71db1cb8a70.webp)
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
标题: svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Apache Mail Archives -- 🔗来源链接
标签:mailing-listx_refsource_MLIST
神龙速读:### 关键信息总结: #### 1. 漏洞列表与影响: - **CVE-2020-13938**: Improper Handling of Insufficient Privileges. Fixes an issue where unprivileged local users could stop httpd on Windows. - **CVE-2021-31618**: NULL pointer dereference on specially crafted HTTP/2 request. Affects certain versions of Apache HTTP Server 2.4.x. - **CVE-2019-17567**: mod_proxy_wstunnel tunneling of non-Upgrade authenticated or authorization possibly configured. - **CVE-2020-13930**: mod_proxy_http NULL pointer dereference. Affects certain versions of Apache HTTP Server. - **CVE-2020-13934**: APR pool mutex destruction crash. Affects Apache HTTP Server 2.4.39 and prior. - **CVE-2016-10005**: ap_get_basic_auth_pw() Authentication Bypass. Affects certain versions of Apache HTTP Server. #### 2. 影响范围: - **Apache HTTP Server 2.4.x** versions have multiple vulnerabilities affecting availability, integrity, and confidentiality. #### 3. 修复信息: - **CVS updates** show fixes committed to the `staging` branch for various versions of Apache HTTP Server. - **Acknowledgements** include contributions from various researchers and developers. #### 4. 建议措施: - **Update Apache HTTP Server** to the latest versions to mitigate identified vulnerabilities. - **Monitor and log** for potential attacks and unauthorized access attempts. - **Apply security patches** as soon as they are available to prevent exploitation of known vulnerabilities. --- This summary highlights the most critical vulnerabilities, their impact, affected versions, and recommended actions based on the provided screenshot content.![svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html-Apache Mail Archives](https://cvepdf.imfht.com:2443//ti_screenshot/2025-11-08/screenshot-full-2025-11-08T10-07-09.678Z-26c0b13e08bf33755860.webp)
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3Emailing-listx_refsource_MLIST
- https://nvd.nist.gov/vuln/detail/CVE-2018-8011
四、漏洞 CVE-2018-8011 的评论
暂无评论