Описание
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
A flaw was found in Apache httpd. A possible regression from an earlier security fix broke behavior of MergeSlashes. The highest threat from this vulnerability is to data integrity.
Отчет
This flaw was introduced when fixing https://access.redhat.com/security/cve/cve-2019-0220, therefore versions of httpd package shipped with Red Hat Enterprise Linux 7, 8 and Red Hat Software Collections are affected by this flaw.
Меры по смягчению последствий
This issue can be mitigated by setting the "MergeSlashes" directive to OFF
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 9 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | httpd22 | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd22 | Out of support scope | ||
| Red Hat Software Collections | httpd24-httpd | Will not fix | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr | Fixed | RHSA-2021:4614 | 10.11.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-apr-util | Fixed | RHSA-2021:4614 | 10.11.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-curl | Fixed | RHSA-2021:4614 | 10.11.2021 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-httpd | Fixed | RHSA-2021:4614 | 10.11.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behav ...
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
EPSS
5.9 Medium
CVSS3