Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-10098Open Redirect in Apache Http Server

CWE-601Open Redirect13 documents12 sources
Severity
6.1MEDIUMNVD
EPSS
80.3%
top 0.88%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Http ServerApache Software Foundation Apache Http Server
Timeline
PublishedSep 25
Latest updateMay 24

Description

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDapache/http_server2.4.02.4.39

🔴Vulnerability Details

4
GHSA
GHSA-hm8m-x559-v4fw: In Apache HTTP server 22022-05-24
CVEList
CVE-2019-10098: In Apache HTTP server 22019-09-25
OSV
CVE-2019-10098: In Apache HTTP server 22019-09-25
VulnCheck
Apache HTTP Server URL Redirection to Untrusted Site ('Open Redirect')2019

💥Exploits & PoCs

2
Exploit-DB
Apache Httpd mod_rewrite - Open Redirects2019-10-14
Nuclei
Apache HTTP server v2.4.0 to v2.4.39 - Open Redirect

📋Vendor Advisories

4
Ubuntu
Apache HTTP Server vulnerabilities2019-08-29
Red Hat
httpd: mod_rewrite potential open redirect2019-08-14
Debian
CVE-2019-10098: apache2 - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite tha...2019
Apache
Apache httpd: CVE-2019-10098

💬Community

2
Bugzilla
CVE-2019-10098 httpd: mod_rewrite potential open redirect2019-08-21
Bugzilla
CVE-2019-10098 httpd: mod_rewrite potential open redirect [fedora-all]2019-08-21
CVE-2019-10098 — Open Redirect in Apache Http Server | cvebase