CVE-2019-0211: In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including…

high7.8CVSS 3.1

AVLACLPRLUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-05-03

Exploited in the wild

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Affected

69 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	apache_http_server	—	—
apache	http_server	2.4.17 – 2.4.38	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	apache2	< apache2 2.4.38-3 (bookworm)	apache2 2.4.38-3 (bookworm)
debian	debian_linux	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
opensuse	leap	—	—
opensuse	leap	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_report_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	communications_session_route_manager	—	—
oracle	enterprise_manager_ops_center	—	—
oracle	enterprise_manager_ops_center	—	—
oracle	http_server	—	—
oracle	instantis_enterprisetrack	—	—

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

osv7.8HIGH

vulncheck7.8HIGH

cisa7.8HIGH