⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2019-0211

CWE-416Use After FreeCWE-25016 documents14 sources
Severity
7.8HIGH
EPSS
90.9%
top 0.37%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
27
Apache Http ServerApache Apache Http ServerCanonical Ubuntu Linux+24 more
Timeline
PublishedApr 8
KEV addedNov 3
KEV dueMay 3
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.

Description

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages14 packages

NVDapache/http_server2.4.172.4.38
CVEListV5apache/apache_http_server2.4.17 to 2.4.38
NVDoracle/http_server12.2.1.3.0
Debianapache2< 2.4.38-3+3
Ubuntuapache2< 2.4.7-1ubuntu4.22+2

Also affects: Debian Linux 9.0, Fedora 28, 29, 30, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 8.6, 8.8, Openshift Container Platform 3.11

Patches

Patch: lists.apache.orgPatch: seclists.orgPatch: www.oracle.com

🔴Vulnerability Details

5
GHSA
GHSA-w9rc-q752-88hf: In Apache HTTP Server 22022-05-13
OSV
CVE-2019-0211: In Apache HTTP Server 22019-04-08
CVEList
CVE-2019-0211: In Apache HTTP Server 22019-04-08
OSV
apache2 vulnerabilities2019-04-04
VulnCheck
Apache HTTP Server Privilege Escalation Vulnerability2019

💥Exploits & PoCs

1
Exploit-DB
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation2019-04-08

📋Vendor Advisories

5
CISA
Apache HTTP Server Privilege Escalation Vulnerability2021-11-03
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Apache HTTP Server) — CVE-2019-02112020-04-15
Ubuntu
Apache HTTP Server vulnerabilities2019-04-04
Red Hat
httpd: privilege escalation from modules scripts2019-04-01
Debian
CVE-2019-0211: apache2 - In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or p...2019

💬Community

3
HackerOne
Apache HTTP [2.4.17-2.4.38] Local Root Privilege Escalation2019-09-11
Bugzilla
CVE-2019-0211 httpd: privilege escalation from modules scripts [fedora-all]2019-04-02
Bugzilla
CVE-2019-0211 httpd: privilege escalation from modules scripts2019-04-02
CVE-2019-0211 (HIGH CVSS 7.8) | In Apache HTTP Server 2.4 releases | cvebase.io