CVE-2020-1927Open Redirect in Apache Http Server

CWE-601Open Redirect12 documents9 sources
Severity
6.1MEDIUMNVD
OSV9.8
EPSS
11.3%
top 6.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Apache Http ServerOracle Instantis EnterprisetrackApache Http Server+10 more
Timeline
PublishedApr 2
Latest updateJul 15

Description

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages10 packages

NVDapache/http_server2.4.02.4.41
CVEListV5apache/apache_http_server2.4.0 to 2.4.41
NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 20.04

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-h8gj-rgqf-fpq3: In Apache HTTP Server 22022-05-24
OSV
apache2 vulnerabilities2020-08-13
OSV
CVE-2020-1927: In Apache HTTP Server 22020-04-02
CVEList
CVE-2020-1927: In Apache HTTP Server 22020-04-01

📋Vendor Advisories

5
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2020-19272022-07-15
Oracle
Oracle Oracle Communications Risk Matrix: OS (Linux Kernel) — CVE-2020-19272021-04-15
Ubuntu
Apache HTTP Server vulnerabilities2020-08-13
Red Hat
httpd: mod_rewrite configurations vulnerable to open redirect2020-04-01
Debian
CVE-2020-1927: apache2 - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite tha...2020

💬Community

2
Bugzilla
CVE-2020-1927 httpd: mod_rewrite configurations vulnerable to open redirect [fedora-all]2020-04-03
Bugzilla
CVE-2020-1927 httpd: mod_rewrite configurations vulnerable to open redirect2020-04-03
CVE-2020-1927 — Open Redirect in Apache Http Server | cvebase