PT-2019-3477 · Apache+7 · Apache Http Server+7

Published

2019-03-26

·

Updated

2024-06-15

·

CVE-2019-10098

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Apache HTTP server versions 2.4.0 through 2.4.39
Description The issue is related to the mod rewrite function in the Apache HTTP server, which can be fooled by encoded newlines and redirect to an unexpected URL within the request URL. This can allow an attacker to gain unauthorized access to confidential information or impact the availability of information using a specially crafted URL request.
Recommendations For Apache HTTP server versions 2.4.0 through 2.4.39, consider updating the mod rewrite configuration to prevent self-referential redirects from being fooled by encoded newlines. As a temporary workaround, restrict access to the mod rewrite module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

ALSA-2020:4751
ALT-PU-2019-2471
ALT-PU-2019-3402
BDU:2019-03652
BDU:2020-01010
CESA-2020_3958
CESA-2020_4751
CVE-2019-10098
DLA-1900-1
DSA-4509-1
DSA-4509-2
MGASA-2019-0407
OPENSUSE-SU-2019:2051-1
OPENSUSE-SU-2019_2051-1
OPENSUSE-SU-2024:10623-1
RHSA-2020:1337
RHSA-2020:2263
RHSA-2020:3958
RHSA-2020:4751
RHSA-2020_3958
RHSA-2020_4751
RLSA-2020:4751
SUSE-SU-2019:2237-1
SUSE-SU-2019:2329-1
USN-4113-1
USN-4113-2

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Red Hat
Rocky Linux
Suse
Ubuntu