CVE-2019-0220

MEDIUM

Apache HTTP Server <2.4.39 - Path Traversal

Title source: llm

Description

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

References (40)

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/04/02/6

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107670

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:2343

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:3436

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r31f46d1f16ffcafa68058596b21f6eaf6d352290e522690a1cdccdd7%40%3Cbugs.httpd.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Apr/5

[Third Party Advisory] https://support.f5.com/csp/article/K44591505

[Vendor Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

[Third Party Advisory] https://usn.ubuntu.com/3937-1/

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4422

[Vendor Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

... and 20 more

Scores

CVSS v3 5.3

EPSS 0.2057

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-706

Status published

Affected Products (12)

apache/http_server < 2.4.38

opensuse/leap

opensuse/leap

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

fedoraproject/fedora

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

Timeline

Published Jun 11, 2019

Tracked Since Feb 18, 2026