CVE-2019-0220

MEDIUM

Apache HTTP Server <2.4.39 - Path Traversal

Title source: llm

Description

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

References (40)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2019/04/02/6

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107670

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Apr/5

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html

[Third Party Advisory] https://usn.ubuntu.com/3937-1/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4422

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

[Mailing List, Patch, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:2343

[Mailing List] https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:3436

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2019:4126

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0250

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0251

[Mailing List] https://lists.apache.org/thread.html/r31f46d1f16ffcafa68058596b21f6eaf6d352290e522690a1cdccdd7%40%3Cbugs.httpd.apache.org%3E

... and 20 more

Scores

CVSS v3 5.3

EPSS 0.2269

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-706

Status published

Products (12)

apache/http_server 2.4.0 - 2.4.38

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 18.10

debian/debian_linux 8.0

debian/debian_linux 9.0

fedoraproject/fedora 28

fedoraproject/fedora 29

fedoraproject/fedora 30

... and 2 more

Published Jun 11, 2019

Tracked Since Feb 18, 2026