CVE-2019-0220
First published: Mon Apr 01 2019(Updated: )
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr | <0:1.6.3-73.jbcs.el6 | 0:1.6.3-73.jbcs.el6 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-54.jbcs.el6 | 0:1.6.1-54.jbcs.el6 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-9.jbcs.el6 | 0:1.0.6-9.jbcs.el6 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-21.jbcs.el6 | 0:7.64.1-21.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-41.jbcs.el6 | 0:2.4.37-41.jbcs.el6 |
| redhat/jbcs-httpd24-jansson | <0:2.11-24.jbcs.el6 | 0:2.11-24.jbcs.el6 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-10.jbcs.el6 | 0:1.39.2-10.jbcs.el6 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1c-4.jbcs.el6 | 1:1.1.1c-4.jbcs.el6 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-73.jbcs.el7 | 0:1.6.3-73.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-54.jbcs.el7 | 0:1.6.1-54.jbcs.el7 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-9.jbcs.el7 | 0:1.0.6-9.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-21.jbcs.el7 | 0:7.64.1-21.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-41.jbcs.el7 | 0:2.4.37-41.jbcs.el7 |
| redhat/jbcs-httpd24-jansson | <0:2.11-24.jbcs.el7 | 0:2.11-24.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-10.jbcs.el7 | 0:1.39.2-10.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1c-4.jbcs.el7 | 1:1.1.1c-4.jbcs.el7 |
| redhat/httpd | <0:2.4.6-90.el7 | 0:2.4.6-90.el7 |
| redhat/httpd24 | <0:1.1-19.el6 | 0:1.1-19.el6 |
| redhat/httpd24-httpd | <0:2.4.34-15.el6 | 0:2.4.34-15.el6 |
| redhat/httpd24-nghttp2 | <0:1.7.1-8.el6 | 0:1.7.1-8.el6 |
| redhat/httpd24 | <0:1.1-19.el7 | 0:1.1-19.el7 |
| redhat/httpd24-httpd | <0:2.4.34-15.el7 | 0:2.4.34-15.el7 |
| redhat/httpd24-nghttp2 | <0:1.7.1-8.el7 | 0:1.7.1-8.el7 |
| Apache HTTP server | >=2.4.0<=2.4.38 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =42.3 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =28 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| redhat/httpd | <2.4.39 | 2.4.39 |
| ubuntu/apache2 | <2.4.29-1ubuntu4.6 | 2.4.29-1ubuntu4.6 |
| ubuntu/apache2 | <2.4.34-1ubuntu2.1 | 2.4.34-1ubuntu2.1 |
| ubuntu/apache2 | <2.4.38-2ubuntu2 | 2.4.38-2ubuntu2 |
| ubuntu/apache2 | <2.4.38-2ubuntu2 | 2.4.38-2ubuntu2 |
| ubuntu/apache2 | <2.4.38-2ubuntu2 | 2.4.38-2ubuntu2 |
| ubuntu/apache2 | <2.4.38-2ubuntu2 | 2.4.38-2ubuntu2 |
| ubuntu/apache2 | <2.4.38-2ubuntu2 | 2.4.38-2ubuntu2 |
| ubuntu/apache2 | <2.4.7-1ubuntu4.22 | 2.4.7-1ubuntu4.22 |
| ubuntu/apache2 | <2.4.18-2ubuntu3.10 | 2.4.18-2ubuntu3.10 |
| debian/apache2 | 2.4.59-1~deb11u1 2.4.59-1~deb12u1 2.4.59-2 2.4.60-1 |
Remedy
This flaw can be mitigation by replacing multiple consecutive slashes, used in directives that match against the path component of the request URL with regular expressions.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-0220 https://nvd.nist.gov/vuln/detail/CVE-2019-0220 http://www.apache.org/dist/httpd/CHANGES_2.4 https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1695036
- https://access.redhat.com/errata/RHSA-2020:0250
- https://access.redhat.com/errata/RHSA-2019:2343
- https://access.redhat.com/errata/RHSA-2019:3436
- https://access.redhat.com/errata/RHSA-2020:0251
- https://access.redhat.com/errata/RHSA-2019:4126
- https://access.redhat.com/security/cve/cve-2019-0220
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html
- http://www.openwall.com/lists/oss-security/2019/04/02/6
- http://www.securityfocus.com/bid/107670
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r31f46d1f16ffcafa68058596b21f6eaf6d352290e522690a1cdccdd7@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
- https://seclists.org/bugtraq/2019/Apr/5
- https://security.netapp.com/advisory/ntap-20190625-0007/
- https://support.f5.com/csp/article/K44591505
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
- https://usn.ubuntu.com/3937-1/
- https://www.debian.org/security/2019/dsa-4422
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
- https://launchpad.net/bugs/cve/CVE-2019-0220
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r31f46d1f16ffcafa68058596b21f6eaf6d352290e522690a1cdccdd7%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
- http://www.apache.org/dist/httpd/CHANGES_2.4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1695046
- https://access.redhat.com/support/policy/updates/errata/
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0220
- https://ubuntu.com/security/notices/USN-3937-1
- https://www.cve.org/CVERecord?id=CVE-2019-0220
- https://nvd.nist.gov/vuln/detail/CVE-2019-0220
- https://security-tracker.debian.org/tracker/CVE-2019-0220
- https://github.com/apache/httpd/commit/9bc1917a27a2323e535aadb081e38172ae0e3fc2
- https://github.com/apache/httpd/commit/c4ef468b25718a26f2b92cbea3ca093729b79331
- https://github.com/apache/httpd/commit/a428b2ce4a2a1250e0eab66edc283f58ea643602
- https://github.com/apache/httpd/commit/3451fc2bf8708b0dc8cd6a7d0ac0fe5b6401befc
- https://ubuntu.com/security/CVE-2019-0220
- https://svn.apache.org/r1855737
- https://svn.apache.org/r1855751
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-0220?
The severity of CVE-2019-0220 is low with a CVSS score of 3.3.
What is the impact of CVE-2019-0220?
CVE-2019-0220 allows an attacker to bypass intended access restrictions and perform unauthorized actions.
How do I fix CVE-2019-0220?
To fix CVE-2019-0220, update your Apache HTTP Server to version 2.4.39 or apply the appropriate patch provided by RedHat.
Where can I find more information about CVE-2019-0220?
You can find more information about CVE-2019-0220 on the official Apache HTTP Server website, the Apache HTTP Server changelog, and the RedHat Bugzilla page.
What is the Common Vulnerabilities and Exposures (CVE) ID for this vulnerability?
The Common Vulnerabilities and Exposures (CVE) ID for this vulnerability is CVE-2019-0220.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-0220
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.38
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/42.3
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/28
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- package-manager/ubuntu
- package-manager/debian