Vulnerability in Apache Http Server
CVE-2020-1934
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
EPSS: 0.272 (96.5th percentile) — read the EPSS interpretation.
Affected products
- Apache Http Server — versions 2.4.0 to 2.4.41
Public proof-of-concept exploits
References
- [httpd-dev] 20200404 Odd vulnerabilities_24.html output (mailing-list, x_refsource_MLIST)
- [httpd-dev] 20200404 Re: Odd vulnerabilities_24.html output (mailing-list, x_refsource_MLIST)
- [httpd-cvs] 20200420 svn commit: r1876764 - /httpd/httpd/branches/2.4.x/CHANGES (mailing-list, x_refsource_MLIST)
- openSUSE-SU-2020:0597 (vendor-advisory, x_refsource_SUSE)
- www.oracle.com/security-alerts/cpujul2020.html (x_refsource_MISC)
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_CONFIRM)
- security.netapp.com/advisory/ntap-20200413-0002/ (x_refsource_CONFIRM)
- USN-4458-1 (vendor-advisory, x_refsource_UBUNTU)
- FEDORA-2020-189a1e6c3e (vendor-advisory, x_refsource_FEDORA)
- DSA-4757 (vendor-advisory, x_refsource_DEBIAN)
Frequently asked questions
- What is CVE-2020-1934?
- CVE-2020-1934 is a vulnerability in Apache Http Server. Published 2020-04-01.
- Is CVE-2020-1934 known to be exploited?
- 18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.