Your submission was sent successfully! Close

CVE-2019-10098

Published: 14 August 2019

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

Notes

AuthorNote
sbeattie
MITIGTION: Anchor captures used as back-references, prefix
self-referential redirects with / or scheme, host, and port.
all 2.4.x up to 2.4.41
Priority

Low

CVSS 3 base score: 6.1

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.10)
disco
Released (2.4.38-2ubuntu2.2)
eoan
Released (2.4.41-1ubuntu1)
focal
Released (2.4.41-1ubuntu1)
groovy
Released (2.4.41-1ubuntu1)
hirsute
Released (2.4.41-1ubuntu1)
impish
Released (2.4.41-1ubuntu1)
jammy
Released (2.4.41-1ubuntu1)
precise Not vulnerable

trusty Needs triage

upstream
Released (2.4.41-1)
xenial
Released (2.4.18-2ubuntu3.12)
Patches:
upstream: https://github.com/apache/httpd/commit/3b3117e96bc9c2afaeb5b98e9b60315006679a6d