NVD脆弱性詳細

CVE-2012-4558

概要	Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.
公表日	2013年2月27日1:55
登録日	2021年1月28日15:03
最終更新日	2024年11月21日10:43

CVSS2.0 : MEDIUM
スコア	4.3
ベクター	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	はい

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.2.23:::::::*
cpe:2.3:a:apache:http_server:2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.17:::::::*
cpe:2.3:a:apache:http_server:2.2.16:::::::*
cpe:2.3:a:apache:http_server:2.2.21:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.22:::::::*
cpe:2.3:a:apache:http_server:2.2.19:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.2.18:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.2.15:::::::*
cpe:2.3:a:apache:http_server:2.2.20:::::::*
cpe:2.3:a:apache:http_server:2.2.1:::::::*

構成2	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.4.1:::::::*
cpe:2.3:a:apache:http_server:2.4.0:::::::*
cpe:2.3:a:apache:http_server:2.4.3:::::::*
cpe:2.3:a:apache:http_server:2.4.2:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://httpd.apache.org/security/vulnerabilities_22.html	Vendor Advisory
2	http://httpd.apache.org/security/vulnerabilities_22.html	Vendor Advisory
3	http://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
4	http://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
5	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
6	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101196.html
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101196.html
9	http://marc.info/?l=bugtraq&m=136612293908376&w=2
10	http://marc.info/?l=bugtraq&m=136612293908376&w=2
11	http://marc.info/?l=bugtraq&m=136612293908376&w=2
12	http://marc.info/?l=bugtraq&m=136612293908376&w=2
13	http://rhn.redhat.com/errata/RHSA-2013-0815.html
14	http://rhn.redhat.com/errata/RHSA-2013-0815.html
15	http://rhn.redhat.com/errata/RHSA-2013-1207.html
16	http://rhn.redhat.com/errata/RHSA-2013-1207.html
17	http://rhn.redhat.com/errata/RHSA-2013-1208.html
18	http://rhn.redhat.com/errata/RHSA-2013-1208.html
19	http://rhn.redhat.com/errata/RHSA-2013-1209.html
20	http://rhn.redhat.com/errata/RHSA-2013-1209.html
21	http://support.apple.com/kb/HT5880
22	http://support.apple.com/kb/HT5880
23	http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1404653&r2=1413732&diff_format=h
24	http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1404653&r2=1413732&diff_format=h
25	http://www.debian.org/security/2013/dsa-2637
26	http://www.debian.org/security/2013/dsa-2637
27	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
28	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
29	http://www.securityfocus.com/bid/58165
30	http://www.securityfocus.com/bid/58165
31	http://www.securityfocus.com/bid/64758
32	http://www.securityfocus.com/bid/64758
33	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
34	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
35	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
36	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
37	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
38	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
39	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
40	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
41	https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3E
42	https://lists.apache.org/thread.html/r05b5357d1f6bd106f41541ee7d87aafe3f5ea4dc3e9bde5ce09baff8%40%3Ccvs.httpd.apache.org%3E
43	https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
44	https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E
45	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
46	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
47	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
48	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
49	https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E
50	https://lists.apache.org/thread.html/r9821b0a32a1d0a1b4947abb6f3630053fcbb2ec905d9a32c2bd4d4ee%40%3Ccvs.httpd.apache.org%3E
51	https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729%40%3Ccvs.httpd.apache.org%3E
52	https://lists.apache.org/thread.html/r9b4b963760a3cb5a4a70c902f325c6c0337fe51d5b8570416f8f8729%40%3Ccvs.httpd.apache.org%3E
53	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
54	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
55	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
56	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
57	https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
58	https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E
59	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
60	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
61	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
62	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
63	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
64	https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
65	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
66	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
67	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
68	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
69	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
70	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
71	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
72	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
73	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18977
74	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18977

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN脆弱性情報

Apache HTTP Server の mod_proxy_balancer モジュールにおけるクロスサイトスクリプティングの脆弱性

タイトル	Apache HTTP Server の mod_proxy_balancer モジュールにおけるクロスサイトスクリプティングの脆弱性
概要	Apache HTTP Server の mod_proxy_balancer モジュールの mod_proxy_balancer.c 内の管理インタフェースの balancer_handler 関数には、クロスサイトスクリプティングの脆弱性が存在します。
想定される影響	第三者により、巧妙に細工された文字列を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2013年2月18日0:00
登録日	2013年2月27日16:35
最終更新日	2016年8月2日16:45

影響を受けるシステム

Apache Software Foundation

Apache HTTP Server 2.2.24-dev 未満の 2.2.x

Apache HTTP Server 2.4.4 未満の 2.4.x

アップル

Apple Mac OS X v10.6.8

Apple Mac OS X v10.7.5

Apple Mac OS X v10.8 から v10.8.4

Apple Mac OS X Server v10.6.8

Apple Mac OS X Server v10.7.5

日本電気

WebOTX Application Server Enterprise V8.2 から V8.5

WebOTX Application Server Express V8.2 から V8.5

WebOTX Application Server Foundation V8.2 から V8.5

WebOTX Application Server Standard V8.2 から V8.5

WebOTX Enterprise Service Bus V8.2 から V8.5

WebOTX Portal V8.2 から V8.4

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-4558	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
National Vulnerability Database (NVD)
2	CVE-2012-4558	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4558

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	名前	URL
Apache httpd 2.2 vulnerabilities
1	Fixed in Apache httpd 2.2.4	http://httpd.apache.org/security/vulnerabilities_22.html
Apache httpd 2.4 vulnerabilities
2	Fixed in Apache httpd 2.4.4	http://httpd.apache.org/security/vulnerabilities_24.html
Apache-SVN
3	Diff of /httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c	http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1404653&r2=1413732&diff_format=h
Apple Mailing Lists
4	APPLE-SA-2013-09-12-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
Apple Security Updates
5	HT5880	http://support.apple.com/kb/HT5880
Apple セキュリティアップデート
6	HT5880	http://support.apple.com/kb/HT5880?viewlocale=ja_JP
NEC製品セキュリティ情報
7	NV16-014	http://jpn.nec.com/security-info/secinfo/nv16-014.html
SECURITY BLOG
8	Multiple Cross Site Scripting vulnerabilities in Apache HTTP server	https://blogs.oracle.com/sunsecurity/entry/multiple_cross_site_scripting_vulnerabilities

変更履歴

No	変更内容	変更日
0	[2013年02月27日] 掲載 [2013年05月27日] ベンダ情報：オラクル (Multiple Cross Site Scripting vulnerabilities in Apache HTTP server) を追加 [2013年09月30日] 影響を受けるシステム：アップル (HT5880) の情報を追加ベンダ情報：アップル (HT5880) を追加ベンダ情報：アップル (APPLE-SA-2013-09-12-1) を追加 [2016年08月02日] ベンダ情報：日本電気 (NV16-014) を追加影響を受けるシステム：ベンダ情報の追加に伴い内容を更新	2018年2月17日10:37

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:http_server:2.2.23:::::::*
cpe:2.3:a:apache:http_server:2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.11:::::::*
cpe:2.3:a:apache:http_server:2.2.0:::::::*
cpe:2.3:a:apache:http_server:2.2.10:::::::*
cpe:2.3:a:apache:http_server:2.2.13:::::::*
cpe:2.3:a:apache:http_server:2.2.2:::::::*
cpe:2.3:a:apache:http_server:2.2.4:::::::*
cpe:2.3:a:apache:http_server:2.2.17:::::::*
cpe:2.3:a:apache:http_server:2.2.16:::::::*
cpe:2.3:a:apache:http_server:2.2.21:::::::*
cpe:2.3:a:apache:http_server:2.2.8:::::::*
cpe:2.3:a:apache:http_server:2.2.14:::::::*
cpe:2.3:a:apache:http_server:2.2.6:::::::*
cpe:2.3:a:apache:http_server:2.2.22:::::::*
cpe:2.3:a:apache:http_server:2.2.19:::::::*
cpe:2.3:a:apache:http_server:2.2.9:::::::*
cpe:2.3:a:apache:http_server:2.2.18:::::::*
cpe:2.3:a:apache:http_server:2.2.12:::::::*
cpe:2.3:a:apache:http_server:2.2.3:::::::*
cpe:2.3:a:apache:http_server:2.2.15:::::::*
cpe:2.3:a:apache:http_server:2.2.20:::::::*
cpe:2.3:a:apache:http_server:2.2.1:::::::*