CVE-2020-11984

HIGH

Description

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html

http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html

http://www.openwall.com/lists/oss-security/2020/08/08/1

http://www.openwall.com/lists/oss-security/2020/08/08/10

http://www.openwall.com/lists/oss-security/2020/08/08/8

http://www.openwall.com/lists/oss-security/2020/08/08/9

http://www.openwall.com/lists/oss-security/2020/08/10/5

http://www.openwall.com/lists/oss-security/2020/08/17/2

https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/09/msg00001.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/

https://lists.fedoraproject.org/archives/list/[email protected]/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/

https://security.gentoo.org/glsa/202008-04

https://security.netapp.com/advisory/ntap-20200814-0005/

https://usn.ubuntu.com/4458-1/

https://www.debian.org/security/2020/dsa-4757

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Details

Source: MITRE

Published: 2020-08-07

Updated: 2021-03-30

Type: CWE-120

Risk Information

CVSS v2.0

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (23 total)

IDNameProductFamilySeverity
147602EulerOS : httpd (EulerOS-SA-2021-1602)NessusHuawei Local Security Checks
high
145225Oracle Enterprise Manager Ops Center (Jan 2021 CPU)NessusMisc.
high
143158Amazon Linux 2 : httpd (ALAS-2020-1490)NessusAmazon Linux Local Security Checks
high
142025RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 (RHSA-2020:4384)NessusRed Hat Local Security Checks
high
140966EulerOS Virtualization for ARM 64 3.0.6.0 : httpd (EulerOS-SA-2020-2018)NessusHuawei Local Security Checks
high
112580Apache 2.4.x < 2.4.46 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
140226Fedora 31 : httpd (2020-0d3d3f5072)NessusFedora Local Security Checks
high
140224Debian DLA-2362-1 : uwsgi security updateNessusDebian Local Security Checks
high
140105Fedora 32 : httpd (2020-189a1e6c3e)NessusFedora Local Security Checks
high
140104Debian DSA-4757-1 : apache2 - security updateNessusDebian Local Security Checks
high
140086Amazon Linux AMI : httpd24 (ALAS-2020-1418)NessusAmazon Linux Local Security Checks
high
140078openSUSE Security Update : apache2 (openSUSE-2020-1293)NessusSuSE Local Security Checks
high
140076openSUSE Security Update : apache2 (openSUSE-2020-1285)NessusSuSE Local Security Checks
high
139957EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1854)NessusHuawei Local Security Checks
high
139906SUSE SLES15 Security Update : apache2 (SUSE-SU-2020:2344-1)NessusSuSE Local Security Checks
high
139844SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2020:2311-1)NessusSuSE Local Security Checks
high
139697Photon OS 1.0: Httpd PHSA-2020-1.0-0313NessusPhotonOS Local Security Checks
high
139612Photon OS 3.0: Httpd PHSA-2020-3.0-0125NessusPhotonOS Local Security Checks
high
139609Photon OS 2.0: Httpd PHSA-2020-2.0-0272NessusPhotonOS Local Security Checks
high
139596Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : Apache HTTP Server vulnerabilities (USN-4458-1)NessusUbuntu Local Security Checks
high
139574Apache 2.4.x < 2.4.46 Multiple VulnerabilitiesNessusWeb Servers
high
139439GLSA-202008-04 : Apache: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
139436FreeBSD : Apache httpd -- Multiple vulnerabilities (76700d2f-d959-11ea-b53c-d4c9ef517024)NessusFreeBSD Local Security Checks
high