CVE-2020-1927
First published: Wed Apr 01 2020(Updated: )
A flaw was found in Apache HTTP Server (httpd) versions 2.4.0 to 2.4.41. Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirected instead to an unexpected URL within the request URL.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr | <0:1.6.3-86.jbcs.el6 | 0:1.6.3-86.jbcs.el6 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-21.jbcs.el6 | 0:1.0.6-21.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-52.jbcs.el6 | 0:2.4.37-52.jbcs.el6 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1c-16.jbcs.el6 | 1:1.1.1c-16.jbcs.el6 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-86.jbcs.el7 | 0:1.6.3-86.jbcs.el7 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-21.jbcs.el7 | 0:1.0.6-21.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-52.jbcs.el7 | 0:2.4.37-52.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1c-16.jbcs.el7 | 1:1.1.1c-16.jbcs.el7 |
| redhat/httpd | <0:2.4.6-95.el7 | 0:2.4.6-95.el7 |
| redhat/httpd24-httpd | <0:2.4.34-18.el6 | 0:2.4.34-18.el6 |
| redhat/httpd24-httpd | <0:2.4.34-18.el7 | 0:2.4.34-18.el7 |
| Apache HTTP server | >=2.4.0<=2.4.41 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| openSUSE Leap | =15.1 | |
| NetApp OnCommand Unified Manager Core Package | ||
| Broadcom Brocade Fabric Operating System | ||
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Element Manager | =8.2.1 | |
| Oracle Communications Session Report Manager | =8.1.1 | |
| Oracle Communications Session Report Manager | =8.2.0 | |
| Oracle Communications Session Report Manager | =8.2.1 | |
| Oracle Communications Session Route Manager | =8.1.1 | |
| Oracle Communications Session Route Manager | =8.2.0 | |
| Oracle Communications Session Route Manager | =8.2.1 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Instantis Enterprisetrack | >=17.1<=17.3 | |
| Oracle SD-WAN Aware | =8.2 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| redhat/httpd | <2.4.42 | 2.4.42 |
| debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.62-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1927 https://nvd.nist.gov/vuln/detail/CVE-2020-1927 https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1820761
- https://access.redhat.com/errata/RHSA-2020:1337
- https://access.redhat.com/errata/RHSA-2020:3958
- https://access.redhat.com/errata/RHSA-2020:4751
- https://access.redhat.com/errata/RHSA-2020:1336
- https://access.redhat.com/errata/RHSA-2020:2263
- https://access.redhat.com/security/cve/cve-2020-1927
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html
- http://www.openwall.com/lists/oss-security/2020/04/03/1
- http://www.openwall.com/lists/oss-security/2020/04/04/1
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6a4146bf3d1645af2880f8b7a4fd8afd696d5fd4a3ae272f49f5dc84@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r731d43caece41d78d8c6304641a02a369fd78300e7ffaf566b06bc59@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8c8dea5d9a283d13ce@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/
- https://security.netapp.com/advisory/ntap-20200413-0002/
- https://usn.ubuntu.com/4458-1/
- https://www.debian.org/security/2020/dsa-4757
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2020-1927
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6a4146bf3d1645af2880f8b7a4fd8afd696d5fd4a3ae272f49f5dc84%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r731d43caece41d78d8c6304641a02a369fd78300e7ffaf566b06bc59%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8c8dea5d9a283d13ce%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1820775
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927
- https://svn.apache.org/r1873905
- https://svn.apache.org/r1874191
- https://security-tracker.debian.org/tracker/CVE-2020-1927
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927
- https://nvd.nist.gov/vuln/detail/CVE-2020-1927
- https://ubuntu.com/security/CVE-2020-1927
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-1927?
CVE-2020-1927 is a vulnerability in Apache HTTP Server that allows for redirects configured with mod_rewrite to be fooled and redirected to unexpected URLs.
What is the severity of CVE-2020-1927?
The severity of CVE-2020-1927 is medium with a CVSS score of 6.1.
How does CVE-2020-1927 affect Apache HTTP Server?
CVE-2020-1927 affects Apache HTTP Server versions 2.4.0 to 2.4.41.
What is the remedy for CVE-2020-1927?
The recommended remedy for CVE-2020-1927 is to update Apache HTTP Server to version 2.4.42 or apply the appropriate patch provided by the vendor.
Where can I find more information about CVE-2020-1927?
You can find more information about CVE-2020-1927 on the official CVE website, NIST NVD website, and the Apache HTTP Server security vulnerabilities page.
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1927
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.41
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/netapp
- canonical/netapp oncommand unified manager core package
- vendor/broadcom
- canonical/broadcom brocade fabric operating system
- vendor/oracle
- canonical/oracle communications element manager
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.1
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.1.1
- version/oracle communications session report manager/8.2.0
- version/oracle communications session report manager/8.2.1
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.1.1
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.1
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle sd-wan aware
- version/oracle sd-wan aware/8.2
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- package-manager/debian