What is CVE-2019-10097?

CVE-2019-10097 is a vulnerability in Apache Http Server. Published 2019-09-26.

Is CVE-2019-10097 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Http Server

CVE-2019-10097

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference…

EPSS: 0.527 (98.8th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Http Server — versions 2.4.32 to 2.4.39

Public proof-of-concept exploits

References

RHSA-2019:4126 (vendor-advisory, x_refsource_REDHAT)
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuapr2020.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpujul2020.html (x_refsource_MISC)
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html (x_refsource_MISC)
httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-10097?: CVE-2019-10097 is a vulnerability in Apache Http Server. Published 2019-09-26.
Is CVE-2019-10097 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.