Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-11984

CWE-120Classic Buffer OverflowCWE-119Buffer OverflowCWE-400Uncontrolled Resource Consumption16 documents12 sources
Severity
9.8CRITICAL
EPSS
75.3%
top 1.11%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
12
Apache Http ServerOracle Communications Element ManagerOracle Communications Session Report Manager+9 more
Timeline
PublishedAug 7
Latest updateMay 24

Description

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages11 packages

NVDapache/http_server2.4.322.4.43
CVEListV5apache_http_server2.4.32 to 2.4.44
Debianapache2< 2.4.46-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 20.04

🔴Vulnerability Details

4
GHSA
GHSA-7fcg-7xhc-3997: Apache HTTP server 22022-05-24
OSV
CVE-2020-11984: Apache HTTP server 22020-08-07
CVEList
CVE-2020-11984: Apache HTTP server 22020-08-07
VulnCheck
Apache HTTP Server Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')2020

💥Exploits & PoCs

1
Nuclei
Apache HTTP Server - Remote Code Execution

📋Vendor Advisories

8
Ubuntu
uWSGI vulnerability2021-09-03
Ubuntu
uWSGI vulnerability2021-08-30
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Control Proxy (Apache HTTP Server) — CVE-2020-119842021-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Core (Apache HTTP Server) — CVE-2020-119842020-10-15
Ubuntu
Apache HTTP Server vulnerabilities2020-08-13

💬Community

2
Bugzilla
CVE-2020-11984 httpd: mod_proxy_uswgi buffer overflow [fedora-all]2020-08-11
Bugzilla
CVE-2020-11984 httpd: mod_proxy_uwsgi buffer overflow2020-08-05