CVE-2002-0392
Description
Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- cpe:2.3:o:debian:debian_linux:2.2:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"Apache fails to properly calculate buffer sizes when processing chunk-encoded HTTP requests, leading to potential buffer overruns."
Attack vector
A remote attacker can send a specially crafted chunk-encoded HTTP request to a vulnerable Apache server. This request manipulates the size calculation mechanism, causing the server to misinterpret buffer requirements. This can lead to a buffer overrun and potentially allow for arbitrary code execution [ref_id=1]. The vulnerability is described as a memory corruption issue related to chunked encoding [ref_id=1].
Affected code
The vulnerability lies in how Apache processes 'Chunked Encoding' requests. Specifically, it fails to properly calculate required buffer sizes, which is believed to stem from an improper interpretation of an unsigned integer value [ref_id=1]. The provided exploit code targets specific versions of Apache on various Unix-like operating systems, indicating the issue is within the HTTP request parsing and handling logic.
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance is not available in the provided information. Therefore, it is not possible to describe the fix or explain why it closes the vulnerability.
Preconditions
- networkThe attacker must be able to send HTTP requests to the target server.
- inputThe attacker must craft a malicious chunk-encoded HTTP request.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
45- www.cert.org/advisories/CA-2002-17.htmlnvdPatchThird Party AdvisoryUS Government Resource
- httpd.apache.org/info/security_bulletin_20020617.txtnvdVendor Advisory
- online.securityfocus.com/advisories/4240nvdBroken LinkThird Party AdvisoryVDB Entry
- online.securityfocus.com/advisories/4257nvdBroken LinkThird Party AdvisoryVDB Entry
- online.securityfocus.com/archive/1/278149nvdBroken LinkThird Party AdvisoryVDB Entry
- secunia.com/advisories/21917nvdThird Party Advisory
- www.debian.org/security/2002/dsa-131nvdThird Party Advisory
- www.debian.org/security/2002/dsa-132nvdThird Party Advisory
- www.debian.org/security/2002/dsa-133nvdThird Party Advisory
- www.frsirt.com/english/advisories/2006/3598nvdThird Party Advisory
- www.kb.cert.org/vuls/id/944335nvdThird Party AdvisoryUS Government Resource
- www.linuxsecurity.com/advisories/other_advisory-2137.htmlnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2002-126.htmlnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2002-150.htmlnvdThird Party Advisory
- www.redhat.com/support/errata/RHSA-2003-106.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/20005nvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/5033nvdThird Party AdvisoryVDB Entry
- ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txtnvdBroken Link
- ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32nvdBroken Link
- ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31nvdBroken Link
- patches.sgi.com/support/free/security/advisories/20020605-01-AnvdBroken Link
- patches.sgi.com/support/free/security/advisories/20020605-01-InvdBroken Link
- archives.neohapsis.com/archives/bugtraq/2002-06/0235.htmlnvdBroken Link
- archives.neohapsis.com/archives/bugtraq/2002-06/0266.htmlnvdBroken Link
- distro.conectiva.com/atualizacoes/nvdBroken Link
- frontal2.mandriva.com/security/advisoriesnvdBroken Link
- rhn.redhat.com/errata/RHSA-2002-103.htmlnvdBroken Link
- rhn.redhat.com/errata/RHSA-2002-117.htmlnvdBroken Link
- rhn.redhat.com/errata/RHSA-2002-118.htmlnvdBroken Link
- www.iss.net/security_center/static/9249.phpnvdBroken Link
- www.novell.com/linux/security/advisories/2002_22_apache.htmlnvdBroken Link
- www.osvdb.org/838nvdBroken Link
- www2.itrc.hp.com/service/cki/docDisplay.donvdBroken Link
- lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rd00b45b93fda4a5bd013b28587207d0e00f99f6e3308dbb6025f3b01%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Envd
News mentions
0No linked articles in our index yet.