Synopsis
Apache 2.4.x < 2.4.41 Multiple Vulnerabilities
Description
According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.41. It is, therefore, affected by multiple vulnerabilities:
- A cross-site scripting (XSS) vulnerability exists in mod_proxy when proxying is enabled and Proxy Error page is displayed. (CVE-2019-10092)
- An open redirect vulnerability exists in mod_rewrite when using self-referential redirects. (CVE-2019-10098)
- A read-after-free vulnerability exists in mod_http2 during connection shutdown. (CVE-2019-10082)
- A memory corruption vulnerability exists in mod_http2 on early pushes. (CVE-2019-10081)
- A denial of service (DoS) vulnerability exists in mod_http2 by exhausting h2 workers. (CVE-2019-9517)
- A stack buffer overflow and NULL pointer dereference vulnerabilities exist in mod_remoteip when using a specially crafted PROXY header. (CVE-2019-10097)
Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache version 2.4.41 or later.