A carefully crafted If: request header can cause a memory read

CVE-2006-20001 is an out-of-bounds read / one-byte NUL write in Apache HTTP Server mod_dav when it parses a crafted If: header. Upstream says Apache HTTP Server 2.4.0 through 2.4.54 are affected, with the fix in 2.4.55 on 2023-01-17. The practical catch matters: the vulnerable code lives in WebDAV handling, so reachable exposure usually requires mod_dav to be loaded and Dav On to be configured for a location.

The vendor/NVD HIGH 7.5 score overrates this for most enterprise fleets. Yes, it is unauthenticated and network-reachable *when WebDAV is exposed*, but the observed impact is crash-oriented availability loss, not takeover, and the exposure population is sharply reduced by the fact that WebDAV is an optional extension with Dav Off by default; Apache itself classified the issue as *moderate*.

Why this verdict

• Optional module tax: the vulnerable parser lives in mod_dav, and Apache documents Dav Off as the default; that sharply cuts the exposed population versus all Apache servers.
• Posture friction compounds: real exploitation usually requires a DAV-enabled URL to be reachable from the attacker position, which often implies a niche publishing workflow, internal-only service, or authenticated collaboration endpoint.
• Crash-first primitive: the published impact is an out-of-bounds read or a single-byte zero write that can crash the process. That is materially weaker than the memory-corruption bugs that routinely earn emergency patch status.
• Threat intel is cold: no KEV listing, no authoritative wild-exploitation reporting found, and the provided EPSS 0.00468 is low.
• Vendor score ignores deployment reality: NVD's 7.5 assumes any vulnerable version is equally exposed from the network, which is not true here.

Why not higher?

Because there is no credible public evidence that this bug is being used for initial access or that it reliably yields more than service disruption. A CVE that needs optional WebDAV exposure and currently bottoms out at DoS should not sit in the same bucket as internet-scale Apache RCEs or traversal bugs.

Why not lower?

Because if you *do* expose WebDAV on vulnerable Apache, an unauthenticated remote attacker can realistically crash workers with a single crafted request path. That is not backlog lint; for the subset of fleets actually using DAV, there is real operational outage potential.

1. Disable unused WebDAV — Remove Dav On locations and unload mod_dav / mod_dav_fs anywhere WebDAV is not a business requirement. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is the cleanest exposure reduction and should happen in the next routine change window.
2. Fence DAV behind strong access controls — If WebDAV must remain, restrict it to VPN, internal networks, or tightly scoped reverse-proxy ACLs, and require strong authentication. There is no mitigation SLA — go straight to the 365-day remediation window, so use normal change governance, but do not leave broad unauthenticated DAV exposure in place.
3. Alert on DAV probes and malformed If: headers — Add WAF, reverse proxy, or logging rules to surface PROPFIND, LOCK, UNLOCK, and abnormal If: header usage against Apache estates. This will not replace patching, but it gives you a tripwire while you work through the 365-day remediation window.

Run this on the target Apache host as a user who can execute apachectl/apache2ctl/httpd and read Apache config paths; sudo may be needed for full config visibility. Save as check-cve-2006-20001.sh, then run bash check-cve-2006-20001.sh on the server. It outputs VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.

#!/usr/bin/env bash
# check-cve-2006-20001.sh
# Determine likely exposure to CVE-2006-20001 on an Apache HTTP Server host.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

say() { printf '%s\n' "$1"; }
unknown() { say "UNKNOWN - $1"; exit 2; }
vuln() { say "VULNERABLE - $1"; exit 1; }
patched() { say "PATCHED - $1"; exit 0; }

find_ctl() {
  local c
  for c in apache2ctl apachectl httpd; do
    if command -v "$c" >/dev/null 2>&1; then
      printf '%s' "$c"
      return 0
    fi
  done
  return 1
}

verlte() {
  # returns 0 if $1 <= $2 using sort -V
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

ctl="$(find_ctl || true)"
[ -n "$ctl" ] || unknown "Apache control binary not found"

ver_out="$($ctl -v 2>/dev/null || true)"
version="$(printf '%s\n' "$ver_out" | sed -n 's/.*Apache\/\([0-9][0-9.]*\).*/\1/p' | head -n1)"
[ -n "$version" ] || unknown "Could not determine Apache version from '$ctl -v'"

mods="$($ctl -M 2>/dev/null || true)"
if [ -z "$mods" ]; then
  # Some packaged httpd binaries don't support -M directly; try common wrappers.
  if command -v apache2ctl >/dev/null 2>&1; then
    mods="$(apache2ctl -M 2>/dev/null || true)"
  elif command -v apachectl >/dev/null 2>&1; then
    mods="$(apachectl -M 2>/dev/null || true)"
  fi
fi

if ! printf '%s\n' "$mods" | grep -Eq '(^| )dav_module|(^| )dav_fs_module'; then
  patched "mod_dav is not loaded"
fi

config_paths="/etc/httpd /etc/apache2 /usr/local/apache2/conf"
dav_on_found=0
for p in $config_paths; do
  if [ -d "$p" ]; then
    if grep -RIEqs '^[[:space:]]*Dav[[:space:]]+On([[:space:]]|$)' "$p" 2>/dev/null; then
      dav_on_found=1
      break
    fi
  fi
done

if [ "$dav_on_found" -ne 1 ]; then
  patched "mod_dav is loaded but no 'Dav On' directive was found in common config paths"
fi

# Debian backport handling from Debian tracker
if command -v dpkg-query >/dev/null 2>&1; then
  pkg_ver="$(dpkg-query -W -f='${Version}\n' apache2 2>/dev/null | head -n1)"
  if [ -n "$pkg_ver" ]; then
    if command -v dpkg >/dev/null 2>&1; then
      if dpkg --compare-versions "$pkg_ver" ge '2.4.56-1~deb11u1'; then
        patched "Debian apache2 package version $pkg_ver is fixed"
      fi
      if dpkg --compare-versions "$pkg_ver" ge '2.4.38-3+deb10u9' && dpkg --compare-versions "$pkg_ver" lt '2.4.56-1~deb11u1'; then
        patched "Debian apache2 package version $pkg_ver matches a documented fixed backport"
      fi
    fi
  fi
fi

# RPM-based distros commonly backport fixes without bumping upstream version.
if command -v rpm >/dev/null 2>&1; then
  rpm_q="$(rpm -q httpd 2>/dev/null || true)"
  if [ -n "$rpm_q" ] && verlte "$version" '2.4.54'; then
    unknown "RPM package '$rpm_q' may include a vendor backport; version alone is not authoritative"
  fi
fi

if verlte "$version" '2.4.54'; then
  vuln "Apache $version with loaded mod_dav and configured 'Dav On' matches the upstream vulnerable condition"
fi

patched "Apache version $version is newer than 2.4.54"

Sources

1. Apache HTTP Server 2.4 vulnerabilities entry for CVE-2006-20001
2. Apache CHANGES_2.4 release notes
3. NVD record for CVE-2006-20001
4. Apache mod_dav documentation
5. oss-security disclosure post
6. Debian security tracker entry
7. CISA Known Exploited Vulnerabilities Catalog
8. Public GitHub PoC repository