5
CVSSv2

CVE-2019-0196

Published: 11/06/2019 Updated: 17/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. The vulnerability exists because the affected software improperly accesses previously freed memory when determining a request method. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to access sensitive information, which could be used to launch additional attacks. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheHttp Server2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38
CanonicalUbuntu Linux14.04, 16.04, 18.04, 18.10
DebianDebian Linux9.0

Vendor Advisories

A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2418 and >= 2438 Using crafted network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly ...
Several vulnerabilities have been found in the Apache HTTP server CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2 By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service ...
Several security issues were fixed in the Apache HTTP Server ...
Debian Bug report logs - #920303 apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:36:02 UTC Severity: ...
Debian Bug report logs - #920302 apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:33:05 UTC Severity: ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4422-1 security () debian org wwwdebianorg/security/ Stefan Fritsch April 03, 2019 wwwdebianorg/security/faq ...
CVE-2019-0196: mod_http2, read-after-free on a string compare Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2417 to 2438 Description: Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the ...