CVE-2009-1955

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

🔗 References (120)

• cve@mitrehttp://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
• cve@mitrehttp://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
• cve@mitrehttp://marc.info/?l=apr-dev&m=124396021826125&w=2
• cve@mitrehttp://marc.info/?l=bugtraq&m=129190899612998&w=2
• cve@mitrehttp://secunia.com/advisories/34724
• cve@mitrehttp://secunia.com/advisories/35284
• cve@mitrehttp://secunia.com/advisories/35360
• cve@mitrehttp://secunia.com/advisories/35395
• cve@mitrehttp://secunia.com/advisories/35444
• cve@mitrehttp://secunia.com/advisories/35487
• cve@mitrehttp://secunia.com/advisories/35565
• cve@mitrehttp://secunia.com/advisories/35710
• cve@mitrehttp://secunia.com/advisories/35797
• cve@mitrehttp://secunia.com/advisories/35843
• cve@mitrehttp://secunia.com/advisories/36473