Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-11984

Опубликовано: 07 авг. 2020
Источник: redhat
CVSS3: 9.8

Описание

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Отчет

Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.

Меры по смягчению последствий

This flaw only affects specific httpd configurations which use the uwsgi protocol. It does not manifest itself when uwsgi protocol is not used. Commenting out "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so" in /etc/httpd/conf.modules.d/00-proxy.conf will disable the loading of the vulnerable module.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5httpdNot affected
Red Hat Enterprise Linux 6httpdNot affected
Red Hat Enterprise Linux 7httpdNot affected
Red Hat JBoss Enterprise Web Server 2httpdOut of support scope
JBoss Core Services on RHEL 6jbcs-httpd24-aprFixedRHSA-2020:438428.10.2020
JBoss Core Services on RHEL 6jbcs-httpd24-apr-utilFixedRHSA-2020:438428.10.2020
JBoss Core Services on RHEL 6jbcs-httpd24-brotliFixedRHSA-2020:438428.10.2020
JBoss Core Services on RHEL 6jbcs-httpd24-curlFixedRHSA-2020:438428.10.2020
JBoss Core Services on RHEL 6jbcs-httpd24-httpdFixedRHSA-2020:438428.10.2020
JBoss Core Services on RHEL 6jbcs-httpd24-janssonFixedRHSA-2020:438428.10.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-119->CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1866563httpd: mod_proxy_uwsgi buffer overflow

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-11984

CVSS3: 9.8
ubuntu
почти 5 лет назад

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

nvd логотип

CVE-2020-11984

CVSS3: 9.8
nvd
почти 5 лет назад

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

msrc логотип

CVE-2020-11984

CVSS3: 9.8
msrc
почти 5 лет назад

Описание отсутствует

debian логотип

CVE-2020-11984

CVSS3: 9.8
debian
почти 5 лет назад

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure an ...

github логотип

GHSA-7fcg-7xhc-3997

github
около 3 лет назад

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

9.8 Critical

CVSS3

Уязвимость CVE-2020-11984