5
CVSSv2

CVE-2019-0196

Published: 11/06/2019 Updated: 17/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. The vulnerability exists because the affected software improperly accesses previously freed memory when determining a request method. An attacker could exploit this vulnerability by sending requests that submit malicious input to the affected software. A successful exploit could allow the malicious user to access sensitive information, which could be used to launch additional attacks. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http server

canonical ubuntu linux 14.04

canonical ubuntu linux 16.04

canonical ubuntu linux 18.04

canonical ubuntu linux 18.10

debian debian linux 9.0

Vendor Advisories

Synopsis Moderate: httpd:24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the httpd:24 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerabi ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 SP3 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2437 Service Pack 3 zip release for RHEL 6, RHEL 7 and Microsoft Windows is availableRed Hat Product Security has r ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 SP3 security update Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2437 and fix several bugs, and add various enhancements are now available for Red Hat ...
A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2418 and >= 2438 Using crafted network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release on RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release on RHEL 6 Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2437 and fix several bugs, and add various enhancements are now available for R ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2437 Security Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2437 zip releasefor RHEL 6, RHEL 7 and Microsoft Windows is availableRed Hat Product Security has rated this update as ...
A vulnerability was found in Apache HTTP Server 24 Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly (CVE-2019-0196 ) ...
Several vulnerabilities have been found in the Apache HTTP server CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2 By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service ...
Several security issues were fixed in the Apache HTTP Server ...
Debian Bug report logs - #920303 apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:36:02 UTC Severity: ...
Debian Bug report logs - #920302 apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:33:05 UTC Severity: ...
Apache HTTP Server has security vulnerabilities that allows a remote attacker to exploit the application Respective security vulnerabilities are discussed in detail in the subsequent sections ...
Multiple vulnerabilities affect IBM Cloud Object Storage Systems These vulnerabilities have been addressed in the latest ClevOS releases ...

Mailing Lists

CVE-2019-0196: mod_http2, read-after-free on a string compare Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2417 to 2438 Description: Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4422-1 security () debian org wwwdebianorg/security/ Stefan Fritsch April 03, 2019 wwwdebianorg/security/faq ...

Github Repositories

CTF challenge attack vectors

Target 17879174156 Scans port information PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2438 ((Debian)) |_http-server-header: Apache/2438 (Debian) |_http-title: Apache2 Debian Default Page: It works 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 631/tcp filtered ipp 2222/tcp open ssh OpenSSH 60p1 Debian 4+

从美国国家漏洞库NVD获取某个特定版本软件的漏洞统计信息。

vul-info-collect 漏洞信息统计,用于获取特定软件版本漏洞的简要统计信息:CVE,漏洞总数、严重、高危、中危、低危漏洞个数,以及简单的文本和网页展示效果。 更新日志 2020118 内容:修改脚本以适应NVD界面变化 & cvss v3未评分异常。 增加脚本:script-v21py 和 script-v31py Sample - v2 upd

Here's walkthrough of vulhub machine for complete beginners

Vegeta:1 ~Vulhub Walkthrough Here's walkthrough of vulhub machine This machine is for complete beginners We need to find flag roottxt Scanning nmap -p- 192168122130 nmap -sV -A 192168122130 (Service version scan) nmap -sV -A --script vuln 192168122130 (Vulnerability scanning) root@kali:~# nmap -sV -A --script vuln 192168122130 Starting Nmap 780SVN ( http

References

CWE-416http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.htmlhttp://www.apache.org/dist/httpd/CHANGES_2.4.39http://www.openwall.com/lists/oss-security/2019/04/02/1http://www.securityfocus.com/bid/107669https://access.redhat.com/errata/RHSA-2019:3932https://access.redhat.com/errata/RHSA-2019:3933https://access.redhat.com/errata/RHSA-2019:3935https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/97a1c58e138ed58a364513b58d807a802e72bf6079ff81a10948ef7c@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/fd110f4ace2d8364c7d9190e1993cde92f79e4eb85576ed9285686ac@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWRYD6JMEJ6O3JKJZFNOYXMJJU5JMEJK/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTJPHI3E3OKW7OT7COQXVG7DE7IDQ2OT/https://seclists.org/bugtraq/2019/Apr/5https://security.netapp.com/advisory/ntap-20190617-0002/https://support.f5.com/csp/article/K44591505https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_ushttps://usn.ubuntu.com/3937-1/https://www.debian.org/security/2019/dsa-4422https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2019-0196https://nvd.nist.govhttps://usn.ubuntu.com/3937-1/https://tools.cisco.com/security/center/viewAlert.x?alertId=59921