CVE-2017-9798

7.5

HIGH

Apache HTTP Server Optionsbleed Information Disclosure

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

INFO

Published Date :

Sept. 18, 2017, 3:29 p.m.

Last Modified :

Nov. 7, 2023, 2:50 a.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

3.6

Exploitability Score :

3.9 Public PoC/Exploit Available at Github

CVE-2017-9798 has a 38 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2017-9798 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Debian	debian_linux
1	Apache	http_server

: Total Affected Vendor : 2 | Products : 2

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2017-9798.

URL	Resource
http://openwall.com/lists/oss-security/2017/09/18/2	Mailing List VDB Entry
http://www.debian.org/security/2017/dsa-3980	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Patch Third Party Advisory
http://www.securityfocus.com/bid/100872	Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/105598	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039387	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:2882	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2972	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3018	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3193	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3194	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3195	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3239	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3240	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3475	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3476	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3477	Third Party Advisory
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html	Exploit Patch Technical Description Third Party Advisory
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch	Exploit Patch Technical Description Third Party Advisory
https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a	Patch Vendor Advisory
https://github.com/hannob/optionsbleed	Exploit Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798	Vendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
https://security-tracker.debian.org/tracker/CVE-2017-9798	Third Party Advisory
https://security.gentoo.org/glsa/201710-32	Third Party Advisory
https://security.netapp.com/advisory/ntap-20180601-0003/	Third Party Advisory
https://support.apple.com/HT208331	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us	Third Party Advisory
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch	Vendor Advisory
https://www.exploit-db.com/exploits/42745/	Exploit Third Party Advisory VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
https://www.tenable.com/security/tns-2019-09	Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Samaritin/OSINT

None

Updated: 1 month ago

0 stars 0 fork 0 watcher

Born at : Oct. 19, 2024, 7:04 p.m. This repo has been linked 146 different CVEs too.

smabramov/Vulnerabilities-and-attacks-on-information-systems

None

Updated: 8 months, 1 week ago

0 stars 0 fork 0 watcher

Born at : March 10, 2024, 12:15 p.m. This repo has been linked 170 different CVEs too.

andaks1/ib01

None

Updated: 9 months, 2 weeks ago

0 stars 0 fork 0 watcher

Born at : Feb. 5, 2024, 6:40 p.m. This repo has been linked 3 different CVEs too.

RClueX/Hackerone-Reports

None

Updated: 6 months, 2 weeks ago

1 stars 1 fork 1 watcher

Born at : Jan. 29, 2024, 7:04 a.m. This repo has been linked 80 different CVEs too.

cnnrshd/bbot-utils

Tools for parsing/enriching data from bbot. Probably not generally useful.

Python

Updated: 11 months ago

0 stars 0 fork 0 watcher

Born at : Dec. 19, 2023, 6:43 p.m. This repo has been linked 3 different CVEs too.

maxbardreausupdevinci/jokertitoolbox

None

Python Shell

Updated: 11 months, 1 week ago

0 stars 0 fork 0 watcher

Born at : Oct. 19, 2023, 9:39 a.m. This repo has been linked 2 different CVEs too.

kasem545/vulnsearch

find vulnerabilities in webserver

Shell

Updated: 2 months, 3 weeks ago

0 stars 0 fork 0 watcher

Born at : Aug. 12, 2023, 12:57 a.m. This repo has been linked 55 different CVEs too.

Dokukin1/Metasploitable

None

Updated: 1 year, 3 months ago

0 stars 0 fork 0 watcher

Born at : Aug. 9, 2023, 12:16 p.m. This repo has been linked 170 different CVEs too.

Xorlent/Red-Teaming-TTPs

None

Updated: 1 year, 3 months ago

0 stars 3 fork 3 watcher

Born at : July 23, 2023, 12:03 a.m. This repo has been linked 19 different CVEs too.

RoseSecurity-Research/Red-Teaming-TTPs

Useful Techniques, Tactics, and Procedures for red teamers and defenders, alike!

redteaming cybersecurity

Updated: 8 months ago

43 stars 4 fork 4 watcher

Born at : July 17, 2023, 4:32 a.m. This repo has been linked 19 different CVEs too.

Iknowmyname/Nmap-Scans-M2

None

Updated: 1 year, 4 months ago

0 stars 0 fork 0 watcher

Born at : June 30, 2023, 4:18 p.m. This repo has been linked 170 different CVEs too.

bioly230/THM_Skynet

None

Updated: 1 year, 4 months ago

0 stars 0 fork 0 watcher

Born at : June 30, 2023, 2:41 p.m. This repo has been linked 78 different CVEs too.

NikulinMS/13-01-hw

None

Updated: 1 year, 7 months ago

1 stars 0 fork 0 watcher

Born at : April 10, 2023, 5:46 p.m. This repo has been linked 170 different CVEs too.

Zhivarev/13-01-hw

Уязвимости и атаки на информационные системы

Updated: 9 months, 1 week ago

0 stars 0 fork 0 watcher

Born at : March 24, 2023, 8:20 a.m. This repo has been linked 170 different CVEs too.

zzzWTF/db-13-01

None

Updated: 1 year, 8 months ago

0 stars 2 fork 2 watcher

Born at : March 12, 2023, 3:01 a.m. This repo has been linked 170 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2017-9798 vulnerability anywhere in the article.

seclists.org

[SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395)

Full Disclosure mailing list archives [SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395) From: Matthias Deeg via Fulldisclosure <fulldisclosure () se ...

Published Date: Sep 06, 2024 (2 months, 2 weeks ago)

CVE-2017-9798 CVE-2017-3167

The following table lists the changes that have been made to the CVE-2017-9798 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

Action	Type	Old Value	New Value
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Added	Reference		Apache Software Foundation https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E [No types assigned]
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
Removed	Reference	Apache Software Foundation https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E

Action	Type	Old Value	New Value
Removed	CVSS V3	NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Changed	Reference Type	http://www.debian.org/security/2017/dsa-3980 No Types Assigned	http://www.debian.org/security/2017/dsa-3980 Third Party Advisory
Changed	Reference Type	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html No Types Assigned	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html Patch, Third Party Advisory
Changed	Reference Type	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html No Types Assigned	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Patch, Third Party Advisory
Changed	Reference Type	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html No Types Assigned	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch, Third Party Advisory
Changed	Reference Type	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html No Types Assigned	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html Patch, Third Party Advisory
Changed	Reference Type	http://www.securityfocus.com/bid/105598 No Types Assigned	http://www.securityfocus.com/bid/105598 Third Party Advisory, VDB Entry
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:2882 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:2882 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:2972 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:2972 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3018 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3018 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3113 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3113 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3114 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3114 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3193 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3193 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3194 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3194 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3195 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3195 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3239 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3239 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3240 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3240 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3475 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3475 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3476 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3476 Third Party Advisory
Changed	Reference Type	https://access.redhat.com/errata/RHSA-2017:3477 No Types Assigned	https://access.redhat.com/errata/RHSA-2017:3477 Third Party Advisory
Changed	Reference Type	https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a No Types Assigned	https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a Patch, Vendor Advisory
Changed	Reference Type	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798 No Types Assigned	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798 Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E No Types Assigned	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E Mailing List, Vendor Advisory
Changed	Reference Type	https://security.gentoo.org/glsa/201710-32 No Types Assigned	https://security.gentoo.org/glsa/201710-32 Third Party Advisory
Changed	Reference Type	https://security.netapp.com/advisory/ntap-20180601-0003/ No Types Assigned	https://security.netapp.com/advisory/ntap-20180601-0003/ Third Party Advisory
Changed	Reference Type	https://support.apple.com/HT208331 No Types Assigned	https://support.apple.com/HT208331 Third Party Advisory
Changed	Reference Type	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us No Types Assigned	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory
Changed	Reference Type	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html No Types Assigned	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch, Third Party Advisory
Changed	Reference Type	https://www.tenable.com/security/tns-2019-09 No Types Assigned	https://www.tenable.com/security/tns-2019-09 Third Party Advisory

Action	Type	Old Value	New Value
Removed	Reference	https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 [Patch, Third Party Advisory]
Added	Reference		https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a [No Types Assigned]

Action	Type	Old Value	New Value
Added	CVSS V2		(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Added	CVSS V3		AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Changed	Reference Type	https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch No Types Assigned	https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch Exploit, Patch, Technical Description, Third Party Advisory
Changed	Reference Type	http://www.securityfocus.com/bid/100872 No Types Assigned	http://www.securityfocus.com/bid/100872 Third Party Advisory, VDB Entry
Changed	Reference Type	https://security-tracker.debian.org/tracker/CVE-2017-9798 No Types Assigned	https://security-tracker.debian.org/tracker/CVE-2017-9798 Third Party Advisory
Changed	Reference Type	https://www.exploit-db.com/exploits/42745/ No Types Assigned	https://www.exploit-db.com/exploits/42745/ Exploit, Third Party Advisory, VDB Entry
Changed	Reference Type	https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 No Types Assigned	https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 Patch, Third Party Advisory
Changed	Reference Type	http://www.securitytracker.com/id/1039387 No Types Assigned	http://www.securitytracker.com/id/1039387 Third Party Advisory, VDB Entry
Changed	Reference Type	http://openwall.com/lists/oss-security/2017/09/18/2 No Types Assigned	http://openwall.com/lists/oss-security/2017/09/18/2 Mailing List, VDB Entry
Changed	Reference Type	https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch No Types Assigned	https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch Vendor Advisory
Changed	Reference Type	https://github.com/hannob/optionsbleed No Types Assigned	https://github.com/hannob/optionsbleed Exploit, Third Party Advisory
Changed	Reference Type	https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html No Types Assigned	https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html Exploit, Patch, Technical Description, Third Party Advisory
Added	CWE		CWE-416
Added	CPE Configuration		OR cpe:2.3:a:apache:http_server:2.2.34::::::: (and previous) cpe:2.3:a:apache:http_server:2.4.0::::::: cpe:2.3:a:apache:http_server:2.4.1::::::: cpe:2.3:a:apache:http_server:2.4.2::::::: cpe:2.3:a:apache:http_server:2.4.3::::::: cpe:2.3:a:apache:http_server:2.4.4::::::: cpe:2.3:a:apache:http_server:2.4.6::::::: cpe:2.3:a:apache:http_server:2.4.7::::::: cpe:2.3:a:apache:http_server:2.4.9::::::: cpe:2.3:a:apache:http_server:2.4.10::::::: cpe:2.3:a:apache:http_server:2.4.12::::::: cpe:2.3:a:apache:http_server:2.4.16::::::: cpe:2.3:a:apache:http_server:2.4.17::::::: cpe:2.3:a:apache:http_server:2.4.18::::::: cpe:2.3:a:apache:http_server:2.4.20::::::: cpe:2.3:a:apache:http_server:2.4.23::::::: cpe:2.3:a:apache:http_server:2.4.25::::::: cpe:2.3:a:apache:http_server:2.4.26::::::: cpe:2.3:a:apache:http_server:2.4.27:::::::
Added	CPE Configuration		OR cpe:2.3:o:debian:debian_linux:7.0::::::: cpe:2.3:o:debian:debian_linux:8.0::::::: cpe:2.3:o:debian:debian_linux:9.0:::::::

CVE-2017-9798

Apache HTTP Server Optionsbleed Information Disclosure

Description

INFO

Sept. 18, 2017, 3:29 p.m.

Nov. 7, 2023, 2:50 a.m.

Yes !

3.6

3.9

Public PoC/Exploit Available at Github

Affected Products

References to Advisories, Solutions, and Tools

[SYSS-2024-029]: C-MOR Video Surveillance - Dependency on Vulnerable Third-Party Component (CWE-1395)

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Modified Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

Initial Analysis by [email protected]

CVE Modified by [email protected]

CVE Modified by [email protected]

CWE - Common Weakness Enumeration

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit Prediction

97.40 }} 0.01%

0.99945

CVSS31 - Vulnerability Scoring System

Theme Customizer

Layout

Vertical

Horizontal

Two Column

Color Scheme

Light

Dark

Layout Width

Fluid

Boxed

Layout Position

Topbar Color

Light

Dark

Sidebar Size

Default

Compact

Small (Icon View)

Small Hover View

Sidebar View

Default

Detached

Sidebar Color

Light

Dark

Gradient

Preloader

Enable

Disable