CVE-2020-11984
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 07 Aug 2020, 15:27
Last modified:04 Aug 2024, 11:48
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
76.29% CRITICAL
76% probability +0.94%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
07 Aug 2020, 15:27
Published
Vulnerability first disclosed
04 Aug 2024, 11:48
Last Modified
Vulnerability information updated
Description
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 76.29%• Percentile: 99%
Techniques & Countermeasures
- CWE-120•Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Affected Systems
- Unknown•HTTP Server
≥ 2.4.32, ≤ 2.4.43
- canonical•ubuntu_linux
16.04 | 18.04 | 20.04
- debian•debian_linux
9.0 | 10.0
- fedoraproject•fedora
31 | 32
- netapp•clustered_data_ontap
na
- opensuse•leap
15.1 | 15.2
- oracle•communications_element_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_session_report_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•communications_session_route_manager
≥ 8.2.0, ≤ 8.2.2
- oracle•enterprise_manager_ops_center
12.4.0.0
- oracle•hyperion_infrastructure_technology
11.1.2.4
- oracle•instantis_enterprisetrack
17.1 | 17.2 | 17.3
- oracle•zfs_storage_appliance_kit
8.8
References (32)
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2020/08/08/1
- https://security.gentoo.org/glsa/202008-04
- http://www.openwall.com/lists/oss-security/2020/08/08/10
- http://www.openwall.com/lists/oss-security/2020/08/08/8
- http://www.openwall.com/lists/oss-security/2020/08/08/9
- http://www.openwall.com/lists/oss-security/2020/08/10/5
- https://lists.apache.org/thread.html/r5debe8f82728a00a4a68bc904dd6c35423bdfc8d601cfb4579f38bf1%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r623de9b2b2433a87f3f3a15900419fc9c00c77b26936dfea4060f672%40%3Cdev.httpd.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/08/17/2
- https://usn.ubuntu.com/4458-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/
- https://www.debian.org/security/2020/dsa-4757
- https://lists.debian.org/debian-lts-announce/2020/09/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.netapp.com/advisory/ntap-20200814-0005/
- http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r34753590ae8e3f2b6af689af4fe84269b592f5fda9f3244fd9abbce8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf71eb428714374a6f9ad68952e23611ec7807b029fd6a1b4f5f732d9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2c6083f6a2027914a0f5b54e2a1f4fa98c03f8693b58460911818255%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E