Уязвимость CVE-2020-1927: Информация

Описание

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

Важность: MEDIUM (6,1) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-1927
Опубликовано: 2 апреля 2020 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-601

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
apache2sisyphus2.4.43-alt12.4.59-alt1ALT-PU-2020-1669-1249447Исправлено
apache2p102.4.43-alt12.4.59-alt1ALT-PU-2020-1669-1249447Исправлено
apache2p92.4.43-alt12.4.58-alt1ALT-PU-2020-1686-1249454Исправлено
apache2p82.4.43-alt12.4.43-alt1ALT-PU-2020-1696-1249456Исправлено
apache2c10f12.4.43-alt12.4.59-alt1ALT-PU-2020-1669-1249447Исправлено
apache2c9f22.4.43-alt12.4.59-alt1ALT-PU-2020-1686-1249454Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://httpd.apache.org/security/vulnerabilities_24.html
  • Vendor Advisory
[oss-security] 20200403 Re: CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect
  • Mailing List
  • Third Party Advisory
[oss-security] 20200403 Re: CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect
  • Mailing List
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20200413-0002/
  • Third Party Advisory
openSUSE-SU-2020:0597
  • Mailing List
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html
  • Patch
  • Third Party Advisory
USN-4458-1
  • Third Party Advisory
DSA-4757
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
  • Patch
  • Third Party Advisory
[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update
  • Mailing List
  • Third Party Advisory
N/A
    [httpd-dev] 20200404 Odd vulnerabilities_24.html output
      [httpd-dev] 20200404 Re: Odd vulnerabilities_24.html output
        [httpd-cvs] 20200411 svn commit: r1876405 - in /httpd/test/framework/trunk/t: conf/core.conf.in security/CVE-2020-1927.t
          [httpd-cvs] 20200412 svn commit: r1876426 - /httpd/test/framework/trunk/t/security/CVE-2020-1927.t
            FEDORA-2020-189a1e6c3e
              FEDORA-2020-0d3d3f5072
                [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                  [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
                    [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
                      [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                        [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                          [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                            [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                              [httpd-cvs] 20210330 svn commit: r1073158 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-1927.json security/vulnerabilities_24.html
                                [httpd-cvs] 20210330 svn commit: r1888215 - /httpd/site/trunk/content/security/json/CVE-2020-1927.json
                                  [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

                                      1. Конфигурация 1

                                        cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
                                        Start including
                                        2.4.0
                                        End including
                                        2.4.41

                                        Конфигурация 2

                                        cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
                                        cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

                                        Конфигурация 3

                                        cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
                                        cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

                                        Конфигурация 4

                                        cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
                                        cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
                                        cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

                                        Конфигурация 5

                                        cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

                                        Конфигурация 6

                                        cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:*:*:*:*:*:*:*

                                        Конфигурация 7

                                        cpe:2.3:o:broadcom:brocade_fabric_operating_system:-:*:*:*:*:*:*:*

                                        Конфигурация 8

                                        cpe:2.3:a:oracle:sd-wan_aware:8.2:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
                                        Start including
                                        17.1
                                        End including
                                        17.3
                                        cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
                                        cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
                                    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                    Версия: v24.4.2
                                    Наверх