Описание
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
A vulnerability was discovered in Apache httpd, in mod_rewrite. Certain self-referential mod_rewrite rules could be fooled by encoded newlines, causing them to redirect to an unexpected location. An attacker could abuse this flaw in a phishing attack or as part of a client-side attack on browsers.
Меры по смягчению последствий
This flaw requires the use of certain Rewrite configuration directives. The following command can be used to search for possible vulnerable configurations: grep -R '^\s*Rewrite' /etc/httpd/ See https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 6 | httpd | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd22 | Out of support scope | ||
| Red Hat JBoss Web Server 3 | httpd24 | Out of support scope | ||
| JBoss Core Services Apache HTTP Server 2.4.37 SP2 | httpd | Fixed | RHSA-2020:1336 | 06.04.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr | Fixed | RHSA-2020:1337 | 06.04.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-brotli | Fixed | RHSA-2020:1337 | 06.04.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-httpd | Fixed | RHSA-2020:1337 | 06.04.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-mod_cluster-native | Fixed | RHSA-2020:1337 | 06.04.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_r ...
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
Уязвимость функции mod_rewrite веб-сервера Apache HTTP Server, позволяющая нарушителю получить несанкционированный доступ к конфиденциальной информации или оказать воздействие на целостность информации
EPSS
3.7 Low
CVSS3