PT-2020-5483 · Apache+8 · Apache Http Server+8

Published

2020-08-07

·

Updated

2025-05-01

·

CVE-2020-11993

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.20 through 2.4.43
Description The issue is related to the implementation of the HTTP/2 mechanism in the Apache HTTP Server, which can lead to inconsistent interpretation of HTTP requests. This can cause logging statements to be made on the wrong connection when trace/debug is enabled for the HTTP/2 module and certain traffic edge patterns are encountered, resulting in concurrent use of memory pools. Configuring the LogLevel of mod http2 above "info" can mitigate this issue for unpatched servers.
Recommendations For Apache HTTP Server versions 2.4.20 through 2.4.43, configure the LogLevel of mod http2 above "info" to mitigate the issue. As a temporary workaround, consider restricting the use of the HTTP/2 module until a patch is available.

Exploit

Fix

HTTP Request/Response Smuggling

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444CWE-400

Related Identifiers

ALSA-2021:1809
ALT-PU-2020-2594
ALT-PU-2020-3362
ALT-PU-2021-2035
BDU:2021-00779
BIT-APACHE-2020-11993
CESA-2021_1809
CVE-2020-11993
DSA-4757-1
MGASA-2020-0327
OPENSUSE-SU-2020:1285-1
OPENSUSE-SU-2020:1293-1
OPENSUSE-SU-2020:1792-1
OPENSUSE-SU-2020_1285-1
OPENSUSE-SU-2020_1293-1
OPENSUSE-SU-2020_1792-1
RHSA-2020:4384
RHSA-2021:1809
RHSA-2021_1809
RLSA-2021:1809
SUSE-SU-2020:2311-1
SUSE-SU-2020:2344-1
SUSE-SU-2020:2450-1
SUSE-SU-2020:3067-1
SUSE-SU-2020_3067-1
USN-4458-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu