Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE (CVE-2020-11984) Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions before 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-9490) Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. (CVE-2020-11993)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server |
||
oracle instantis enterprisetrack 17.1 |
||
oracle instantis enterprisetrack 17.2 |
||
oracle instantis enterprisetrack 17.3 |
||
oracle hyperion infrastructure technology 11.1.2.4 |
||
oracle enterprise manager ops center 12.4.0.0 |
||
oracle communications session route manager |
||
oracle communications session report manager |
||
oracle communications element manager |
||
oracle zfs storage appliance kit 8.8 |
||
opensuse leap 15.1 |
||
opensuse leap 15.2 |
||
debian debian linux 10.0 |
||
fedoraproject fedora 31 |
||
fedoraproject fedora 32 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 20.04 |
||
canonical ubuntu linux 16.04 |
||
redhat software_collections 1.0 |
||
redhat enterprise linux 8.0 |
||
redhat enterprise linux eus 8.1 |
||
redhat enterprise linux eus 8.2 |
||
redhat enterprise linux server tus 8.2 |
||
redhat enterprise linux server aus 8.2 |
||
redhat openstack 16.1 |
||
redhat enterprise linux server tus 8.4 |
||
redhat enterprise linux eus 8.4 |
||
redhat enterprise linux server aus 8.4 |
||
redhat enterprise linux server update services for sap solutions 8.2 |
||
redhat enterprise linux server update services for sap solutions 8.4 |
||
redhat enterprise linux server update services for sap solutions 8.1 |
||
redhat enterprise linux for power little endian eus 8.2 |
||
redhat enterprise linux for ibm z systems eus 8.2 |
||
redhat enterprise linux for ibm z systems eus 8.1 |
||
redhat enterprise linux for power little endian eus 8.1 |
||
redhat enterprise linux for power little endian 8.0 |
||
redhat enterprise linux for ibm z systems eus 8.4 |
||
redhat enterprise linux for ibm z systems 8.0 |
||
redhat enterprise linux for power little endian eus 8.4 |
||
redhat enterprise linux server for power little endian update services for sap solutions 8.1 |
||
redhat enterprise linux server for power little endian update services for sap solutions 8.2 |
||
redhat enterprise linux server for power little endian update services for sap solutions 8.4 |
||
redhat enterprise linux server for power little endian update services for sap solutions 8.6 |
||
redhat enterprise linux server update services for sap solutions 8.6 |
||
redhat enterprise linux for ibm z systems eus 8.6 |
||
redhat enterprise linux server aus 8.6 |
||
redhat enterprise linux server tus 8.6 |
||
redhat enterprise linux eus 8.6 |
||
redhat enterprise linux for power little endian eus 8.6 |
||
redhat openstack for ibm power 16.1 |
Remote code execution hole, arbitrary file writing flaw could make a mess of stored files Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections
Updated Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files. The vulnerabilities were made known to the Taiwan-based company on October 12, 2020, and on November 29, 2020, by SAM Seamless Network, a connected home security firm. They were found in the QNAP TS-231's latest firmware, version 4.3.6.1446, which SAM claims wa...