---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Apache Web Server Vulnerability'
version: '1.0'
number: '2020-019'
date: 'April 6, 2020'
---

_History:_

* _06/04/2020 --- v1.0 -- Initial publication_

# Summary

On the 1st of April 2020, a new vulnerability was made public related to Apache Web server. Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. Specifically, this issue affects the `mod_rewrite` configurations. An attacker can leverage this issue by constructing a crafted URI and target a user to follow it.

# Technical Details

Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. _Redirects_ configured with `mod_rewrite` that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL [1].

When an unsuspecting victim follows the link, he or she may be redirected to an attacker-controlled site. The attack could have serious impact and the probability that this vulnerability to be exploit is very high [2].

The vulnerability received the number CVE-2020-1927. Note: This is the same defect as CVE-2019-10098. The fix for CVE-2019-10098 was
ineffective [2].

# Products Affected

It affects Apache HTTP servers versions from 2.4.0 to 2.4.41.

# Recommendations

Apache Server Project has released a patch for this vulnerability [3]. It was fixed in Apache HTTP Server 2.4.42. It is strongly advised to update to the version 2.4.42 to patch this vulnerability as soon as possible.

## Workarounds

In case an immediate update is not possible there is a possible mitigation [2]:

- anchor captures used as back-references,
- prefix self-referential redirects with `/` or scheme, host, and port.

# References

[1] <https://nvd.nist.gov/vuln/detail/CVE-2019-10098#vulnCurrentDescriptionTitle>

[2] <https://seclists.org/oss-sec/2020/q2/3>

[3] <https://httpd.apache.org/security/vulnerabilities_24.html>