CVE-2020-11984

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

References

https://httpd.apache.org/security/vulnerabilities_24.html

http://www.openwall.com/lists/oss-security/2020/08/08/1

https://security.gentoo.org/glsa/202008-04

http://www.openwall.com/lists/oss-security/2020/08/08/10

http://www.openwall.com/lists/oss-security/2020/08/08/9

http://www.openwall.com/lists/oss-security/2020/08/08/8

http://www.openwall.com/lists/oss-security/2020/08/10/5

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://security.netapp.com/advisory/ntap-20200814-0005/

http://www.openwall.com/lists/oss-security/2020/08/17/2

https://usn.ubuntu.com/4458-1/

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html

http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/

https://www.debian.org/security/2020/dsa-4757

https://lists.debian.org/debian-lts-announce/2020/09/msg00001.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2020-08-07

Updated: 2021-06-06

Type: CWE-120

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* versions from 2.4.32 to 2.4.43 (inclusive)

Configuration 2

OR

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
152913Ubuntu 18.04 LTS : uWSGI vulnerability (USN-5054-1)NessusUbuntu Local Security Checks
critical
149913Oracle Linux 8 : httpd:2.4 (ELSA-2021-1809)NessusOracle Linux Local Security Checks
critical
149737CentOS 8 : httpd:2.4 (CESA-2021:1809)NessusCentOS Local Security Checks
critical
149696RHEL 8 : httpd:2.4 (RHSA-2021:1809)NessusRed Hat Local Security Checks
critical
147602EulerOS Virtualization 2.9.1 : httpd (EulerOS-SA-2021-1602)NessusHuawei Local Security Checks
critical
145225Oracle Enterprise Manager Ops Center (Jan 2021 CPU)NessusMisc.
critical
143158Amazon Linux 2 : httpd (ALAS-2020-1490)NessusAmazon Linux Local Security Checks
critical
142025RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 (RHSA-2020:4384)NessusRed Hat Local Security Checks
critical
140966EulerOS Virtualization for ARM 64 3.0.6.0 : httpd (EulerOS-SA-2020-2018)NessusHuawei Local Security Checks
critical
112580Apache 2.4.x < 2.4.46 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
140226Fedora 31 : httpd (2020-0d3d3f5072)NessusFedora Local Security Checks
critical
140224Debian DLA-2362-1 : uwsgi security updateNessusDebian Local Security Checks
critical
140105Fedora 32 : httpd (2020-189a1e6c3e)NessusFedora Local Security Checks
critical
140104Debian DSA-4757-1 : apache2 - security updateNessusDebian Local Security Checks
critical
140086Amazon Linux AMI : httpd24 (ALAS-2020-1418)NessusAmazon Linux Local Security Checks
critical
140078openSUSE Security Update : apache2 (openSUSE-2020-1293)NessusSuSE Local Security Checks
critical
140076openSUSE Security Update : apache2 (openSUSE-2020-1285)NessusSuSE Local Security Checks
critical
139957EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1854)NessusHuawei Local Security Checks
critical
139906SUSE SLES15 Security Update : apache2 (SUSE-SU-2020:2344-1)NessusSuSE Local Security Checks
critical
139844SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2020:2311-1)NessusSuSE Local Security Checks
critical
139697Photon OS 1.0: Httpd PHSA-2020-1.0-0313NessusPhotonOS Local Security Checks
critical
139612Photon OS 3.0: Httpd PHSA-2020-3.0-0125NessusPhotonOS Local Security Checks
critical
139609Photon OS 2.0: Httpd PHSA-2020-2.0-0272NessusPhotonOS Local Security Checks
critical
139596Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : Apache HTTP Server vulnerabilities (USN-4458-1)NessusUbuntu Local Security Checks
critical
139574Apache 2.4.x < 2.4.46 Multiple VulnerabilitiesNessusWeb Servers
critical
139439GLSA-202008-04 : Apache: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
139436FreeBSD : Apache httpd -- Multiple vulnerabilities (76700d2f-d959-11ea-b53c-d4c9ef517024)NessusFreeBSD Local Security Checks
critical