The issue exists in ap_input_processor.c function parse_record() which reads a variable named ‘command’ which is used to detect is the request is a recording or not. However, the code reads ‘command’ as a string with length of 20 bytes instead of a string with length of 2 bytes. This results in a logic error. This logic error is present in the ap_input_processor.c function parse_record()
This issue can be exploited by an attacker to record local information of an audio file. An attacker would just have to send an audio file to victim. User interaction is not needed for exploitation.
Security Risk:
The security risk of this issue is that it can be exploited by an attacker to record local information of an audio file. An attacker would just have to send an audio file to victim.
Vulnerability Scenario :
An attacker can exploit this vulnerability by sending the audio file to victim. The attack is not successful if the victim doesn't have ap_input_processor.c function parse_record() in their system. The vulnerability has been fixed in Apache HTTP Server 2.4.25 and later versions.
Timeline
Published on: 10/14/2022 17:15:00 UTC
Last modified on: 10/15/2022 03:45:00 UTC