CVE编号
CVE-2020-1927利用情况
暂无补丁情况
官方补丁披露时间
2020-04-02漏洞描述
在Apache HTTP Server 2.4.0到2.4.41中,使用mod_rewrite配置的旨在成为自参考的重定向可能会被编码的换行符欺骗,而重定向到请求URL中的意外URL。解决建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://httpd.apache.org/security/vulnerabilities_24.html
参考链接 |
|
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html | |
| http://www.openwall.com/lists/oss-security/2020/04/03/1 | |
| http://www.openwall.com/lists/oss-security/2020/04/04/1 | |
| https://httpd.apache.org/security/vulnerabilities_24.html | |
| https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cad... | |
| https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d... | |
| https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05... | |
| https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d561591... | |
| https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250... | |
| https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885... | |
| https://lists.apache.org/thread.html/r6a4146bf3d1645af2880f8b7a4fd8afd696d5fd... | |
| https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b... | |
| https://lists.apache.org/thread.html/r731d43caece41d78d8c6304641a02a369fd7830... | |
| https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedee... | |
| https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f... | |
| https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444a... | |
| https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8... | |
| https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f... | |
| https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://lists.fedoraproject.org/archives/list/[email protected]... | |
| https://security.netapp.com/advisory/ntap-20200413-0002/ | |
| https://usn.ubuntu.com/4458-1/ | |
| https://www.debian.org/security/2020/dsa-4757 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | |
| https://www.oracle.com/security-alerts/cpujul2020.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | http_server | * |
From (including) 2.4.0 |
Up to (including) 2.4.41 |
||||
| 运行在以下环境 | |||||||||
| 系统 | alibaba_cloud_linux_2.1903 | httpd | * |
Up to (excluding) 2.4.6-95.2.al7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.10 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.11 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.12 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.13 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.14 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.15 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.8 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.9 | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | httpd | * |
Up to (excluding) 2.4.43-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_2 | httpd | * |
Up to (excluding) 2.4.43-1.amzn2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_AMI | httpd | * |
Up to (excluding) 2.4.43-1.89.amzn1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | centos_8 | httpd | * |
Up to (excluding) 2.4.37-30.module+el8.3.0+7001+0766b9e7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | httpd | * |
Up to (excluding) 2.4.38-3+deb10u4 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | httpd | * |
Up to (excluding) 2.4.25-3+deb9u10 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_31 | httpd | * |
Up to (excluding) 2.4.46-1.fc31 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_32 | httpd | * |
Up to (excluding) 2.4.46-1.fc32 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | httpd | * |
Up to (excluding) 2.4.33-lp151.8.12.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_7 | httpd | * |
Up to (excluding) 2.4.6-95.0.1.el7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_8 | httpd | * |
Up to (excluding) 2.4.37-30.0.1.module+el8.3.0+7816+49791cfd |
|||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_8 | httpd | * |
Up to (excluding) 2.4.37-30.module+el8.3.0+7001+0766b9e7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP4 | httpd | * |
Up to (excluding) 2.4.23-29.54.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP5 | httpd | * |
Up to (excluding) 2.4.23-29.54.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04 | httpd | * |
Up to (excluding) 2.4.18-2ubuntu3.17 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | httpd | * |
Up to (excluding) 2.4.29-1ubuntu4.14 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_20.04 | httpd | * |
Up to (excluding) 2.4.41-4ubuntu3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | unionos_20 | httpd | * |
Up to (excluding) 2.4.38-3+deb10u4 |
|||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 传输被破坏
- 服务器危害 无影响
- 全网数量 N/A
还没有评论,来说两句吧...