What is CVE-2019-10098?

CVE-2019-10098 is a vulnerability in Apache Http Server, classified under URL Redirection to Untrusted Site (Open Redirect). Published 2019-09-25.

Is CVE-2019-10098 known to be exploited?

17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Open Redirect in Apache Http Server

CVE-2019-10098

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

Vulnerability class: Open Redirect

EPSS: 0.774 (99.0th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Http Server — versions 2.4.0 to 2.4.39

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

Public proof-of-concept exploits

References

[oss-security] 20200401 CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20200420 svn commit: r1876764 - /httpd/httpd/branches/2.4.x/CHANGES (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuapr2020.html (x_refsource_MISC)
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpujan2020.html (x_refsource_MISC)
httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ (mailing-list, x_refsource_MLIST)
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-10098?: CVE-2019-10098 is a vulnerability in Apache Http Server, classified under URL Redirection to Untrusted Site (Open Redirect). Published 2019-09-25.
Is CVE-2019-10098 known to be exploited?: 17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.