CVE-2020-13950

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.41 through 2.4.46

Description The issue is related to the mod proxy http function in the Apache HTTP Server, which can be made to crash due to a NULL pointer dereference when handling specially crafted requests that use both Content-Length and Transfer-Encoding headers. This can lead to a Denial of Service. The vulnerability can be exploited by a remote attacker.

Recommendations For Apache HTTP Server versions 2.4.41 through 2.4.46, consider disabling the mod proxy http module until a patch is available to prevent potential Denial of Service attacks. Restrict access to the server to minimize the risk of exploitation. Avoid using the Content-Length and Transfer-Encoding headers in requests to the affected server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALT-PU-2021-1838

ALT-PU-2021-2035

ALT-PU-2021-2339

AZL-6474

BDU:2021-06310

BIT-APACHE-2020-13950

CESA-2022_5163

CVE-2020-13950

MGASA-2021-0265

OESA-2021-1246

OPENSUSE-SU-2021:0908-1

OPENSUSE-SU-2021:2127-1

OPENSUSE-SU-2021_0908-1

OPENSUSE-SU-2021_2127-1

RHSA-2021:4614

RHSA-2022:5163

RHSA-2022_5163

RLSA-2022:5163

SUSE-SU-2021:2127-1

SUSE-SU-2021_2127-1

USN-4994-1

Affected Products

Alt Linux

Apache Http Server

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2020-13950

Weakness Enumeration

Related Identifiers

Affected Products

References · 77