Your submission was sent successfully! Close

CVE-2019-10097

Published: 14 August 2019

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Notes

AuthorNote
sbeattie
apache 2.4.33 through 2.4.42 (pending)
Priority

Medium

CVSS 3 base score: 7.2

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
disco
Released (2.4.38-2ubuntu2.2)
precise Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream
Released (2.4.41-1)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/apache/httpd/commit/6e2cd6b5efdc9d02b0eb7834ffddee7ed06ba6a6
This vulnerability is mitigated in part by the use of gcc's stack protector in Ubuntu.