{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-019.pdf"
    },
    "title": "Apache Web Server Vulnerability",
    "serial_number": "2020-019",
    "publish_date": "06-04-2020 12:47:00",
    "description": "On the 1st of April 2020, a new vulnerability was made public related to Apache Web server. Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. Specifically, this issue affects the \"mod_rewrite\" configurations. An attacker can leverage this issue by constructing a crafted URI and target a user to follow it.",
    "url_title": "2020-019",
    "content_markdown": "---\ntitle: 'Apache Web Server Vulnerability'\nversion: '1.0'\nnumber: '2020-019'\ndate: 'April 6, 2020'\n---\n\n_History:_\n\n* _06/04/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn the 1st of April 2020, a new vulnerability was made public related to Apache Web server. Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. Specifically, this issue affects the `mod_rewrite` configurations. An attacker can leverage this issue by constructing a crafted URI and target a user to follow it.\n\n# Technical Details\n\nApache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. _Redirects_ configured with `mod_rewrite` that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL [1].\n\nWhen an unsuspecting victim follows the link, he or she may be redirected to an attacker-controlled site. The attack could have serious impact and the probability that this vulnerability to be exploit is very high [2].\n\nThe vulnerability received the number CVE-2020-1927. Note: This is the same defect as CVE-2019-10098. The fix for CVE-2019-10098 was\nineffective [2].\n\n# Products Affected\n\nIt affects Apache HTTP servers versions from 2.4.0 to 2.4.41.\n\n# Recommendations\n\nApache Server Project has released a patch for this vulnerability [3]. It was fixed in Apache HTTP Server 2.4.42. It is strongly advised to update to the version 2.4.42 to patch this vulnerability as soon as possible.\n\n## Workarounds\n\nIn case an immediate update is not possible there is a possible mitigation [2]:\n\n- anchor captures used as back-references,\n- prefix self-referential redirects with `/` or scheme, host, and port.\n\n# References\n\n[1] <https://nvd.nist.gov/vuln/detail/CVE-2019-10098#vulnCurrentDescriptionTitle>\n\n[2] <https://seclists.org/oss-sec/2020/q2/3>\n\n[3] <https://httpd.apache.org/security/vulnerabilities_24.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>06/04/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 1st of April 2020, a new vulnerability was made public related to Apache Web server. Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. Specifically, this issue affects the <code>mod_rewrite</code> configurations. An attacker can leverage this issue by constructing a crafted URI and target a user to follow it.</p><h2 id=\"technical-details\">Technical Details</h2><p>Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. <em>Redirects</em> configured with <code>mod_rewrite</code> that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL [1].</p><p>When an unsuspecting victim follows the link, he or she may be redirected to an attacker-controlled site. The attack could have serious impact and the probability that this vulnerability to be exploit is very high [2].</p><p>The vulnerability received the number CVE-2020-1927. Note: This is the same defect as CVE-2019-10098. The fix for CVE-2019-10098 was ineffective [2].</p><h2 id=\"products-affected\">Products Affected</h2><p>It affects Apache HTTP servers versions from 2.4.0 to 2.4.41.</p><h2 id=\"recommendations\">Recommendations</h2><p>Apache Server Project has released a patch for this vulnerability [3]. It was fixed in Apache HTTP Server 2.4.42. It is strongly advised to update to the version 2.4.42 to patch this vulnerability as soon as possible.</p><h3 id=\"workarounds\">Workarounds</h3><p>In case an immediate update is not possible there is a possible mitigation [2]:</p><ul><li>anchor captures used as back-references,</li><li>prefix self-referential redirects with <code>/</code> or scheme, host, and port.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2019-10098#vulnCurrentDescriptionTitle\">https://nvd.nist.gov/vuln/detail/CVE-2019-10098#vulnCurrentDescriptionTitle</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://seclists.org/oss-sec/2020/q2/3\">https://seclists.org/oss-sec/2020/q2/3</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://httpd.apache.org/security/vulnerabilities_24.html\">https://httpd.apache.org/security/vulnerabilities_24.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}