CVE-2020-11984

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache HTTP server versions 2.4.32 through 2.4.44

Description The issue is related to a buffer copy without checking the size of the input data in the mod proxy uwsgi module of the Apache HTTP Server. This can allow a remote attacker to gain unauthorized access to protected information, execute arbitrary code, or cause a denial of service. The problem was discovered by Felix Wilhelm of Google Project Zero.

Recommendations For versions 2.4.32 through 2.4.43, consider disabling the mod proxy uwsgi module as a temporary workaround until a patch is available. For version 2.4.44, update to a version that includes the fix for this issue. As a general mitigation measure, restrict access to sensitive information and monitor for signs of unauthorized access or code execution.

Exploit

Fix

RCE

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-120

Related Identifiers

ALSA-2021:1809

ALT-PU-2020-2594

ALT-PU-2020-3362

ALT-PU-2021-2035

BDU:2020-05176

BIT-APACHE-2020-11984

CESA-2021_1809

CVE-2020-11984

DLA-2362-1

DSA-4757-1

MGASA-2020-0327

OPENSUSE-SU-2020:1285-1

OPENSUSE-SU-2020:1293-1

OPENSUSE-SU-2020_1285-1

OPENSUSE-SU-2020_1293-1

RHSA-2020:4384

RHSA-2021:1809

RHSA-2021_1809

RLSA-2021:1809

SUSE-SU-2020:2311-1

SUSE-SU-2020:2344-1

SUSE-SU-2020_2311-1

SUSE-SU-2020_2344-1

USN-4458-1

USN-5054-1

USN-5054-2

Affected Products

Alt Linux

Almalinux

Apache Http Server

Centos

Debian

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2020-11984

Weakness Enumeration

Related Identifiers

Affected Products

References · 111