CVE-2019-0197

MEDIUM

Apache HTTP Server < 2.4.38 - HTTP Request Smuggling

Title source: rule

Description

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

References (30)

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/04/02/2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107665

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/

[Mailing List] https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808%40%3Cdev.httpd.apache.org%3E

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

[Third Party Advisory] https://support.f5.com/csp/article/K44591505

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20190617-0002/

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

[Third Party Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

[Third Party Advisory] https://usn.ubuntu.com/4113-1/

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3933

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3935

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3932

[Mailing List] https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

... and 10 more

Scores

CVSS v3 4.2

EPSS 0.0219

EPSS Percentile 84.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-444

Status published

Products (24)

apache/http_server 2.4.34 - 2.4.38

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.04

fedoraproject/fedora 30

opensuse/leap 15.0

opensuse/leap 42.3

oracle/communications_session_report_manager 8.0.0

oracle/communications_session_report_manager 8.1.0

oracle/communications_session_report_manager 8.1.1

... and 14 more

Published Jun 11, 2019

Tracked Since Feb 18, 2026