CVE-2019-10097NULL Pointer Dereference in Software Foundation Apache Http Server

CWE-476NULL Pointer DereferenceCWE-787Out-of-bounds WriteCWE-120Classic Buffer OverflowCWE-416Use After Free12 documents11 sources
Severity
7.2HIGHNVD
EPSS
22.9%
top 4.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Oracle Instantis EnterprisetrackApache Software Foundation Apache Http ServerApache Http Server+6 more
Timeline
PublishedSep 26
Latest updateMay 24

Description

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages9 packages

NVDapache/http_server5 versions+4
NVDoracle/http_server12.2.1.4.0

🔴Vulnerability Details

4
GHSA
GHSA-x7xg-9vq9-q8xh: In Apache HTTP Server 22022-05-24
CVEList
CVE-2019-10097: In Apache HTTP Server 22019-09-26
OSV
CVE-2019-10097: In Apache HTTP Server 22019-09-26
VulnCheck
Apache HTTP Server NULL Pointer Dereference2019

📋Vendor Advisories

4
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Core (Apache HTTP Server) — CVE-2019-100972020-10-15
Ubuntu
Apache HTTP Server vulnerabilities2019-08-29
Red Hat
httpd: null-pointer dereference in mod_remoteip2019-08-14
Debian
CVE-2019-10097: apache2 - In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a t...2019

💬Community

3
HackerOne
mod_remoteip stack buffer overflow and NULL pointer dereference2019-11-07
Bugzilla
CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip [fedora-all]2019-08-21
Bugzilla
CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip2019-08-21
CVE-2019-10097 — NULL Pointer Dereference | cvebase