vulnerability
FreeBSD: VID-76b085e2-9d33-11e7-9260-000c292ee6b8 (CVE-2017-9798): Apache -- HTTP OPTIONS method can leak server memory
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Sep 19, 2017 | Sep 19, 2017 | Mar 25, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Sep 19, 2017
Added
Sep 19, 2017
Modified
Mar 25, 2026
Description
The Fuzzing Project reports: Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
Solutions
freebsd-upgrade-package-apache24freebsd-upgrade-package-apache22
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.