Input validation error in Apache HTTP Server - CVE-2020-11985

 

Input validation error in Apache HTTP Server - CVE-2020-11985

Published: August 8, 2020


Vulnerability identifier: #VU35776
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-11985
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache HTTP Server

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can spoof the user's IP address when proxying using mod_remoteip and mod_rewrite, as a result the fake IP address will be displayed in logs and will be passed to PHP scripts.

Depending on web application functionality this vulnerability can be used to bypass authorization checks based on IP addresses.


How to mitigate CVE-2020-11985

Install updates from vendor's website.

Sources