CVE-2020-1927

high-risk

Published 2020-04-02

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

Do I need to act?

11.3% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Http Server

Fedora

Debian Linux

Ubuntu Linux

Leap

Oncommand Unified Manager Core Package

Brocade Fabric Operating System

Communications Element Manager

Communications Session Report Manager

Communications Session Route Manager

Affected Vendors

Debian Apache Oracle Broadcom Canonical Fedoraproject Netapp Opensuse

References (54)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html

Mailing List http://www.openwall.com/lists/oss-security/2020/04/03/1

Mailing List http://www.openwall.com/lists/oss-security/2020/04/04/1

Vendor Advisory https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda...

https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d...

https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa5...

https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca...

https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46...

https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9f...

https://lists.apache.org/thread.html/r6a4146bf3d1645af2880f8b7a4fd8afd696d5fd4a3...

https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419...

https://lists.apache.org/thread.html/r731d43caece41d78d8c6304641a02a369fd78300e7...

https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37...

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8...

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa...

https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8c8d...

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90b...

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 34 more references

/ 100

high-risk

Severity 23/34 · High

Exploitability 11/34 · Low

Exposure 21/34 · High