Detections
Analytics

Alpine: multiple apache2 packages: security update to 2.4.41-r0

critical Tenable Cloud Security Plugin ID 423651

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made
 to read memory after being freed, during connection shutdown. (CVE-2019-10082)

 - Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to
 a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
 however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the
 wire. The attacker then sends a stream of requests for a large response object. Depending on how the
 servers queue the responses, this can consume excess memory, CPU, or both. (CVE-2019-9517)

 - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead
 to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of
 the configured push link header values, not data supplied by the client. (CVE-2019-10081)

 - In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the
 mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point
 to a page of their choice. This would only be exploitable where a server was set up with proxying enabled
 but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-10081

https://security.alpinelinux.org/vuln/CVE-2019-10082

https://security.alpinelinux.org/vuln/CVE-2019-10092

https://security.alpinelinux.org/vuln/CVE-2019-10097

https://security.alpinelinux.org/vuln/CVE-2019-10098

https://security.alpinelinux.org/vuln/CVE-2019-9517

Plugin Details

Severity: Critical

ID: 423651

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2019-10082

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/13/2019

Reference Information

CVE: CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-9517

IAVA: 2019-A-0302-S