CVE-2020-11993

CWE-444HTTP Request SmugglingCWE-400Uncontrolled Resource Consumption11 documents10 sources
Severity
7.5HIGH
EPSS
33.4%
top 3.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Apache Http ServerOracle Communications Element ManagerOracle Communications Session Report Manager+9 more
Timeline
PublishedAug 7
Latest updateMay 24

Description

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

NVDapache/http_server2.4.202.4.44
CVEListV5apache_http_server2.4.20 to 2.4.43
Debianapache2< 2.4.46-1+3

Also affects: Debian Linux 10.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 20.04

Patches

Patch: lists.apache.orgPatch: lists.apache.orgPatch: lists.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-89mq-r3q6-9q3q: Apache HTTP Server versions 22022-05-24
CVEList
CVE-2020-11993: Apache HTTP Server versions 22020-08-07
OSV
CVE-2020-11993: Apache HTTP Server versions 22020-08-07

📋Vendor Advisories

5
Ubuntu
Apache HTTP Server vulnerabilities2020-08-13
Microsoft
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns logging statements were made on the wrong connection causing concur2020-08-11
Red Hat
httpd: mod_http2 concurrent pool usage2020-08-07
Debian
CVE-2020-11993: apache2 - Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for th...2020
Apache
Apache httpd: CVE-2020-11993

💬Community

2
Bugzilla
CVE-2020-11993 mod_http2: httpd: mod_http2 concurrent pool usage [fedora-all]2020-08-11
Bugzilla
CVE-2020-11993 httpd: mod_http2 concurrent pool usage2020-08-05