CVE-2013-6438 (Apache vulnerability in `mod_dav` module could allow denial of service attacks via DAV WRITE requests)

  • Posted April 15, 2014

  • Assessed Risk Level: Medium

For Apache versions earlier than 2.4.8, the `dav_xml_get_cdata` function in `main/util.c` in the `mod_dav` module does not properly remove leading spaces could allow remote attackers to cause a denial of service attack via a crafted DAV WRITE request.

CVSS v2 score: 4.0 with v2 Vector (AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)


  • Affected Versions: Puppet Enterprise 2.x, 3.x
  • Resolved in Puppet Enterprise 3.2.2, 2.8.6