Vulnerability CVE-2019-0220: Information

Description

A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Severity: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-0220

Published: June 12, 2019

Modified: Nov. 7, 2023

Error type identifier: CWE-706

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
apache2	sisyphus	2.4.39-alt1	2.4.59-alt1	ALT-PU-2019-1580-1	226417	Fixed
apache2	p10	2.4.39-alt1	2.4.59-alt1	ALT-PU-2019-1580-1	226417	Fixed
apache2	p9	2.4.39-alt1	2.4.58-alt1	ALT-PU-2019-1580-1	226417	Fixed
apache2	p8	2.4.39-alt1	2.4.43-alt1	ALT-PU-2019-1585-1	226418	Fixed
apache2	c10f1	2.4.39-alt1	2.4.59-alt1	ALT-PU-2019-1580-1	226417	Fixed
apache2	c9f2	2.4.39-alt1	2.4.59-alt1	ALT-PU-2019-1580-1	226417	Fixed
apache2	p11	2.4.39-alt1	2.4.59-alt1	ALT-PU-2019-1580-1	226417	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
DSA-4422	Third Party Advisory
USN-3937-1	Third Party Advisory
https://support.f5.com/csp/article/K44591505	Third Party Advisory
20190403 [SECURITY] [DSA 4422-1] apache2 security update	Mailing List Third Party Advisory
[debian-lts-announce] 20190403 [SECURITY] [DLA 1748-1] apache2 security update	Mailing List Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
107670	Third Party Advisory VDB Entry
[oss-security] 20190401 CVE-2019-0220: URL normalization inconsistincies	Mailing List Third Party Advisory
openSUSE-SU-2019:1258	Mailing List Patch Third Party Advisory
openSUSE-SU-2019:1209	Mailing List Patch Third Party Advisory
openSUSE-SU-2019:1190	Mailing List Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20190625-0007/
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
RHSA-2019:2343
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
RHSA-2019:3436
RHSA-2019:4126
RHSA-2020:0250
RHSA-2020:0251
N/A
https://www.oracle.com/security-alerts/cpujul2020.html
N/A
FEDORA-2019-cf7695b470
FEDORA-2019-119b14075a
FEDORA-2019-a4ed7400f4
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-bugs] 20200325 [Bug 63437] MergeSlashes option breaks protocol specifier in URIs
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Affected configurations:
1. Configuration 1
  cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  Start including
  2.4.0
  End including
  2.4.38
  
  Configuration 2
  cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
  cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2019-0220: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5