Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2007-3303

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-20 Jun, 2007 | 22:00
Updated At-07 Aug, 2024 | 14:14
Rejected At-
Credits

Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes. NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:20 Jun, 2007 | 22:00
Updated At:07 Aug, 2024 | 14:14
Rejected At:
▼CVE Numbering Authority (CNA)

Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes. NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://security.psnc.pl/files/apache_report.pdf
x_refsource_MISC
http://osvdb.org/37050
vdb-entry
x_refsource_OSVDB
http://www.securityfocus.com/archive/1/469899/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
http://securityreason.com/securityalert/2814
third-party-advisory
x_refsource_SREASON
http://www.securityfocus.com/archive/1/471832/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
http://www.securityfocus.com/bid/24215
vdb-entry
x_refsource_BID
Hyperlink: http://security.psnc.pl/files/apache_report.pdf
Resource:
x_refsource_MISC
Hyperlink: http://osvdb.org/37050
Resource:
vdb-entry
x_refsource_OSVDB
Hyperlink: http://www.securityfocus.com/archive/1/469899/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://securityreason.com/securityalert/2814
Resource:
third-party-advisory
x_refsource_SREASON
Hyperlink: http://www.securityfocus.com/archive/1/471832/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://www.securityfocus.com/bid/24215
Resource:
vdb-entry
x_refsource_BID
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://security.psnc.pl/files/apache_report.pdf
x_refsource_MISC
x_transferred
http://osvdb.org/37050
vdb-entry
x_refsource_OSVDB
x_transferred
http://www.securityfocus.com/archive/1/469899/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://securityreason.com/securityalert/2814
third-party-advisory
x_refsource_SREASON
x_transferred
http://www.securityfocus.com/archive/1/471832/100/0/threaded
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://www.securityfocus.com/bid/24215
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: http://security.psnc.pl/files/apache_report.pdf
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://osvdb.org/37050
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/469899/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://securityreason.com/securityalert/2814
Resource:
third-party-advisory
x_refsource_SREASON
x_transferred
Hyperlink: http://www.securityfocus.com/archive/1/471832/100/0/threaded
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://www.securityfocus.com/bid/24215
Resource:
vdb-entry
x_refsource_BID
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:20 Jun, 2007 | 22:30
Updated At:16 Oct, 2018 | 16:48

Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users to cause a denial of service via certain code sequences executed in a worker process that (1) stop request processing by killing all worker processes and preventing creation of replacements or (2) hang the system by forcing the master process to fork an arbitrarily large number of worker processes. NOTE: This might be an inherent design limitation of Apache with respect to worker processes in hosted environments.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.04.9MEDIUM
AV:L/AC:L/Au:N/C:N/I:N/A:C
Type: Primary
Version: 2.0
Base score: 4.9
Base severity: MEDIUM
Vector:
AV:L/AC:L/Au:N/C:N/I:N/A:C
CPE Matches
The Apache Software Foundation
apache
>>http_server>>2.0.59
cpe:2.3:a:apache:http_server:2.0.59:*:*:*:*:*:*:*
The Apache Software Foundation
apache
>>http_server>>2.2.4
cpe:2.3:a:apache:http_server:2.2.4:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-94Primarynvd@nist.gov
CWE ID: CWE-94
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
Organization : Apache
Last Modified : 2008-07-02T00:00:00

In the security model used by Apache httpd, the less-privileged child processes completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design. A server with untrusted local users must be configured to use a solution like "suexec" if its required to allow the users to execute CGI (etc) scripts.

Organization : Red Hat
Last Modified : 2007-06-26T00:00:00

Not a vulnerability. In the security model used by Apache httpd, the less-privileged child processes (running as the "apache" user) completely handle the servicing of new connections. Any local user who is able to run arbitrary code in those children is therefore able to prevent new requests from being serviced, by design. Such users will also be able to "simulate" server load and force the parent to create children up to the configured limits, by design.

References
HyperlinkSourceResource
http://osvdb.org/37050cve@mitre.org
N/A
http://security.psnc.pl/files/apache_report.pdfcve@mitre.org
N/A
http://securityreason.com/securityalert/2814cve@mitre.org
N/A
http://www.securityfocus.com/archive/1/469899/100/0/threadedcve@mitre.org
N/A
http://www.securityfocus.com/archive/1/471832/100/0/threadedcve@mitre.org
N/A
http://www.securityfocus.com/bid/24215cve@mitre.org
N/A
Hyperlink: http://osvdb.org/37050
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://security.psnc.pl/files/apache_report.pdf
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://securityreason.com/securityalert/2814
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/469899/100/0/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/archive/1/471832/100/0/threaded
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/24215
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

62Records found
CVE-2023-51784
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-6.75% / 91.11%
||
7 Day CHG~0.00%
Published-03 Jan, 2024 | 09:39
Updated-16 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329

Action-Not Available
Vendor-The Apache Software Foundation
Product-inlongApache InLong
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-49109
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-3.23% / 86.84%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 09:58
Updated-18 Mar, 2025 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in Apache Dolphinscheduler

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.1. We recommend users to upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-dolphinschedulerApache DolphinSchedulerdolphinscheduler
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-46226
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-6.45% / 90.87%
||
7 Day CHG~0.00%
Published-15 Jan, 2024 | 10:35
Updated-20 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache IoTDB: Remote Code Execution (RCE) risk via the UDF

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-iotdbApache IoTDB
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-2115
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-89.76% / 99.55%
||
7 Day CHG~0.00%
Published-10 Jul, 2013 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-strutsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1966
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-9.3||HIGH
EPSS-90.95% / 99.62%
||
7 Day CHG~0.00%
Published-10 Jul, 2013 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-strutsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2009-3302
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.3||HIGH
EPSS-42.76% / 97.39%
||
7 Day CHG~0.00%
Published-16 Feb, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."

Action-Not Available
Vendor-n/aCanonical Ltd.The Apache Software FoundationDebian GNU/Linux
Product-openofficedebian_linuxubuntu_linuxn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1777
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-10||HIGH
EPSS-4.82% / 89.30%
||
7 Day CHG~0.00%
Published-11 Jul, 2013 | 22:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.

Action-Not Available
Vendor-n/aThe Apache Software FoundationIBM Corporation
Product-websphere_application_servergeronimon/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-26112
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-1.77% / 82.38%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 08:05
Updated-27 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0

Action-Not Available
Vendor-The Apache Software Foundation
Product-pinotApache Pinot
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-25813
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-7.5||HIGH
EPSS-57.51% / 98.11%
||
7 Day CHG~0.00%
Published-02 Sep, 2022 | 07:10
Updated-03 Aug, 2024 | 04:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Template Injection affecting the ecommerce plugin of Apache OFBiz

In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.

Action-Not Available
Vendor-The Apache Software Foundation
Product-ofbizApache OFBiz
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2012-5649
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.8||MEDIUM
EPSS-1.84% / 82.67%
||
7 Day CHG~0.00%
Published-23 May, 2014 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.

Action-Not Available
Vendor-n/aThe Apache Software Foundation
Product-couchdbn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-56373
Matching Score-6
Assigner-Apache Software Foundation
ShareView Details
Matching Score-6
Assigner-Apache Software Foundation
CVSS Score-8.4||HIGH
EPSS-0.10% / 28.57%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 10:06
Updated-26 Feb, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow: SSTI to Code Execution in Airflow through Shared DB Information

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. The functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.

Action-Not Available
Vendor-The Apache Software Foundation
Product-airflowApache Airflow
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2012-2273
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.9||MEDIUM
EPSS-0.11% / 29.81%
||
7 Day CHG~0.00%
Published-20 Apr, 2012 | 01:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Comodo Internet Security before 5.10.228257.2253 on Windows 7 x64 allows local users to cause a denial of service (system crash) via a crafted 32-bit Portable Executable (PE) file with a kernel ImageBase value.

Action-Not Available
Vendor-comodon/aMicrosoft Corporation
Product-comodo_internet_securitywindows_7n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found