Your submission was sent successfully! Close

CVE-2020-13950

Published: 10 June 2021

Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

Notes

AuthorNote
mdeslaur
need to check if bionic is vulnerable as it is older than 2.4.41
included in same backport commit as CVE-2019-17567
looks like it was introduced by:
https://svn.apache.org/viewvc?view=revision&revision=1656259
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (2.4.41-4ubuntu3.3)
groovy
Released (2.4.46-1ubuntu1.2)
hirsute
Released (2.4.46-4ubuntu1.1)
impish
Released (2.4.46-4ubuntu2)
jammy
Released (2.4.46-4ubuntu2)
trusty Not vulnerable
(code not present)
upstream
Released (2.4.46-6)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://svn.apache.org/r1678771
upstream: https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
upstream: https://github.com/apache/httpd/commit/fa22b50457c81465b5079dc44c7f1f1cb7431f5d (2.4 backport)