Search for vulnerabilities
Vulnerability details: VCID-tepv-qzma-aaab
Vulnerability ID VCID-tepv-qzma-aaab
Aliases CVE-2009-1955
Summary The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Status Published
Exploitability 2.0
Weighted Severity 8.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
System Score Found at
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
rhas Moderate https://access.redhat.com/errata/RHSA-2009:1107
rhas Moderate https://access.redhat.com/errata/RHSA-2009:1108
rhas Important https://access.redhat.com/errata/RHSA-2009:1160
rhas Moderate https://access.redhat.com/errata/RHSA-2010:0602
epss 0.0285 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03139 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.03662 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.17730 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.18965 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.19943 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.35469 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.35469 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.35469 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
epss 0.35469 https://api.first.org/data/v1/epss?cve=CVE-2009-1955
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=504555
apache_httpd moderate https://httpd.apache.org/security/json/CVE-2009-1955.json
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2009-1955
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2009-1955
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2009-1955
generic_textual MODERATE http://www.vupen.com/english/advisories/2010/1107
Reference id Reference type URL
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://marc.info/?l=apr-dev&m=124396021826125&w=2
http://marc.info/?l=bugtraq&m=129190899612998&w=2
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1955.json
https://api.first.org/data/v1/epss?cve=CVE-2009-1955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
http://secunia.com/advisories/34724
http://secunia.com/advisories/35284
http://secunia.com/advisories/35360
http://secunia.com/advisories/35395
http://secunia.com/advisories/35444
http://secunia.com/advisories/35487
http://secunia.com/advisories/35565
http://secunia.com/advisories/35710
http://secunia.com/advisories/35797
http://secunia.com/advisories/35843
http://secunia.com/advisories/36473
http://secunia.com/advisories/37221
http://security.gentoo.org/glsa/glsa-200907-03.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.538210
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc4c53a0d57b2771ecd4b965010580db355e38137c8711311ee1073a8%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10270
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12473
http://support.apple.com/kb/HT3937
http://svn.apache.org/viewvc?view=rev&revision=781403
https://www.exploit-db.com/exploits/8842
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01173.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01201.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg01228.html
http://wiki.rpath.com/Advisories:rPSA-2009-0123
http://www-01.ibm.com/support/docview.wss?uid=swg1PK88342
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
http://www-01.ibm.com/support/docview.wss?uid=swg1PK99478
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
http://www.debian.org/security/2009/dsa-1812
http://www.mandriva.com/security/advisories?name=MDVSA-2009:131
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
http://www.openwall.com/lists/oss-security/2009/06/03/4
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
http://www.redhat.com/support/errata/RHSA-2009-1107.html
http://www.redhat.com/support/errata/RHSA-2009-1108.html
http://www.securityfocus.com/archive/1/506053/100/0/threaded
http://www.securityfocus.com/bid/35253
http://www.ubuntu.com/usn/usn-786-1
http://www.ubuntu.com/usn/usn-787-1
http://www.vupen.com/english/advisories/2009/1907
http://www.vupen.com/english/advisories/2009/3184
http://www.vupen.com/english/advisories/2010/1107
504555 https://bugzilla.redhat.com/show_bug.cgi?id=504555
cpe:2.3:a:apache:apr-util:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:apr-util:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:http_server:-:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:9:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
CVE-2009-1955 https://httpd.apache.org/security/json/CVE-2009-1955.json
CVE-2009-1955 https://nvd.nist.gov/vuln/detail/CVE-2009-1955
GLSA-200907-03 https://security.gentoo.org/glsa/200907-03
OSVDB-55057;CVE-2009-1955 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/dos/8842.pl
RHSA-2009:1107 https://access.redhat.com/errata/RHSA-2009:1107
RHSA-2009:1108 https://access.redhat.com/errata/RHSA-2009:1108
RHSA-2009:1160 https://access.redhat.com/errata/RHSA-2009:1160
RHSA-2010:0602 https://access.redhat.com/errata/RHSA-2010:0602
USN-786-1 https://usn.ubuntu.com/786-1/
USN-787-1 https://usn.ubuntu.com/787-1/
Data source Exploit-DB
Date added May 31, 2009
Description Apache mod_dav / svn - Remote Denial of Service
Ransomware campaign use Known
Source publication date June 1, 2009
Exploit type dos
Platform multiple
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2009-1955
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2009-1955
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2009-1955
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.77041
EPSS Score 0.0285
Published At March 29, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.