Main Vulnerability Database Vulnerabilities #VU18113

#VU18113 Input validation error in Apache HTTP Server - CVE-2019-0220

Published: April 2, 2019 / Updated: January 29, 2020

Vulnerability identifier: #VU18113

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-0220

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache HTTP Server

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the web server does not merge consecutive slashes in URLs, that can lead to incorrect processing of requests when accessing CGI programs. Such web server behavior may lead to security restrictions bypass.

Remediation

Install updates from vendor's website and make sure that "MergeSlashes" option in the configuration is not set to "Off".

External links

http://www.apache.org/dist/httpd/CHANGES_2.4