Main Vulnerability Database Vulnerabilities #VU18113

Input validation error in Apache HTTP Server - CVE-2019-0220

Published: April 2, 2019 / Updated: January 29, 2020

Vulnerability identifier: #VU18113

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-0220

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache HTTP Server

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the web server does not merge consecutive slashes in URLs, that can lead to incorrect processing of requests when accessing CGI programs. Such web server behavior may lead to security restrictions bypass.

How to mitigate CVE-2019-0220

Install updates from vendor's website and make sure that "MergeSlashes" option in the configuration is not set to "Off".

Sources

http://www.apache.org/dist/httpd/CHANGES_2.4

Input validation error in Apache HTTP Server - CVE-2019-0220

Detailed vulnerability description

How to mitigate CVE-2019-0220

Sources

Please verify you're human