Cy1337H1:527042Internet Bug Bounty: CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
78.3%
A crafted HTTP2 request can trigger reference to request data from a memory pool after its destruction. This memory is subsequently used as input to an sprintf type function for constructing a string value. This unsafe memory access ultimately means that the
r->the_request string is poisoned with unintended data.
To reproduce the problem, I have attached a script that will download/compile Apache httpd and reproduce the behavior with ASAN enabled. The archive also contains a nice ASAN output from the event.
Impact
This is an unsafe memory access. It could lead to process crashes, assist in other exploits, or reveal confidential data through unexplored interactions with other httpd modules.
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
78.3%