PT-2019-3929 · Apache+5 · Apache Http Server+5

Published

2019-04-01

·

Updated

2022-07-25

·

CVE-2019-0220

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.0 through 2.4.38
Description A vulnerability was found in the Apache HTTP Server. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions, while other aspects of the server's processing will implicitly collapse them. The issue is related to the incorrect handling of requests containing multiple consecutive slashes, which can allow a remote attacker to access confidential data.
Recommendations For Apache HTTP Server versions 2.4.0 through 2.4.38, consider updating the RewriteRule directive to account for duplicate slashes in regular expressions. As a temporary workaround, consider restricting access to sensitive data until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-706

Related Identifiers

ALT-PU-2019-1580
BDU:2019-04407
CESA-2019_2343
CESA-2019_3436
CVE-2019-0220
DLA-1748-1
DSA-4422-1
OPENSUSE-SU-2019:1209-1
OPENSUSE-SU-2019_1190-1
OPENSUSE-SU-2019_1209-1
OPENSUSE-SU-2019_1258-1
RHSA-2019:2343
RHSA-2019:3436
RHSA-2019:4126
RHSA-2019_2343
RHSA-2019_3436
RHSA-2020:0250
SUSE-SU-2019:0873-1
SUSE-SU-2019:0878-1
SUSE-SU-2019:0888-1
SUSE-SU-2019:0888-2
SUSE-SU-2019:0889-1
USN-3937-1

Affected Products

Alt Linux
Apache Http Server
Centos
Red Hat
Suse
Ubuntu