Versions of Apache HTTP server prior to 2.4.39 are unpatched, and therefore affected by multiple vulnerabilities :
- Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. (CVE-2019-0196)
- When HTTP/2 was enabled for a βhttp: hostβ or H2Upgrade was enabled for h2 on a βhttps: hostβ, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for HTTPS and did not configure the βH2Upgrade onβ is unaffected by this. (CVE-2019-0197)
- With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard. (CVE-2019-0211)
- A bug in βmod_sslβ when using per-location client certificate verification with TLSv1.3 allows a client supporting Post-Handshake Authentication to bypass configured access control restrictions. (CVE-2019-0215)
- A race condition in βmod_auth_digestβ when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVE-2019-0217)
- When the path component of a request URL contains multiple consecutive slashes (β/β), directives such as βLocationMatchβ and βRewriteRuleβ must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. (CVE-2019-0220)