Synology-SA-19:14 Apache HTTP Server
Publish Time: 2019-04-03 14:41:40 UTC+8
Last Updated: 2019-05-15 17:45:34 UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
CVE-2019-0211 allows local users to conduct privilege escalation attacks via a susceptible version of Apache HTTP server 2.4.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Apache HTTP Server 2.2 | Not affected | N/A |
| Apache HTTP Server 2.4 | Important | Upgrade to 2.4.39-0014 or above. |
Mitigation
None
Detail
- CVE-2019-0211
- Severity: Important
- CVSS3 Base Score: 7.5
- CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2019-04-03 | Initial public release. |
| 2 | 2019-04-03 | Update for Apache HTTP Server 2.4 is now available in Affected Products. |
| 3 | 2019-05-15 | Disclosed vulnerability details. |