9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Summary
Symantec Web Security Group (WSG) products using affected versions of Apache HTTP Server may be susceptible to multiple vulnerabilities. A remote attacker can bypass security controls, modify the behavior of HTTP Server configuration, obtain information from the server process memory, perform XSS attacks, and cause denial of service. A local low-privileged attacker can escalate their privileges on the system.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
Content Analysis (CA)
CVE
|
Supported Version(s)
|
Remediation
CVE-2019-10098, CVE-2019-0220
|
2.3
|
Upgrade to later release with fixes.
2.4, 3.0, 3.1
|
Remediation is not available at this time.
CVE-2020-1927
|
2.3, 2.4
|
Not vulnerable
3.0, 3.1
|
Remediation is not available at this time.
Security Analytics (SA)
CVE
|
Supported Version(s)
|
Remediation
CVE-2019-0211
|
7.2, 7.3, 8.0
|
Upgrade to later release with fixes.
8.1
|
Not vulnerable, remediation available in 8.1.1.
Additional Product Information
CVE-2019-0211 is exploitable in Security Analytics (SA) only when an authenticated web UI user can create and execute custom Lua scripts for data enrichment workflows. The web UI user must belong to a group that has permissions to modify data enrichment settings and create/edit rules.
The following products are not vulnerable:
**Advanced Secure Gateway (ASG) ****AuthConnector
BCAAA
General Auth Connector Login Application
HSM Agent
Management Center (MC)
**PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
SSL Visibility
Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent
Issue Details
CVE-2018-17189
Severity / CVSS v3.x:
|
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
References:
|
NVD: CVE-2018-17189
Impact:
|
Denial of service
Description:
|
A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service by occupying a server thread.
CVE-2018-17199
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
References:
|
NVD: CVE-2018-17199
Impact:
|
Security control bypass
Description:
|
A flaw in the mod_session module allows a remote attacker to bypass the session expiry check for sessions stored in HTTP cookies.
CVE-2019-0190
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
References:
|
NVD: CVE-2019-0190
Impact:
|
Denial of service
Description:
|
A flaw in mod_ssl client renegotiation handling allows a remote attacker to send a crafted request and cause denial of service through excessive CPU consumption.
CVE-2019-0196
Severity / CVSS v3.x:
|
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
References:
|
NVD: CVE-2019-0196
Impact:
|
Denial of service
Description:
|
A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through invalid memory read access.
CVE-2019-0197
Severity / CVSS v3.x:
|
Medium / 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L)
References:
|
NVD: CVE-2019-0197
Impact:
|
Denial of service, unauthorized modification
Description:
|
A flaw in the mod_http2 module allows a remote attacker to upgrade HTTP 1.1 connections to HTTP/2 and cause misconfiguration and denial of service through application crashes.
CVE-2019-0211
Severity / CVSS v3.x:
|
High / 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
References:
|
NVD: CVE-2019-0211
Impact:
|
Privilege escalation
Description:
|
A flaw in process and thread handling allows an attacker who can execute low-privileged arbitrary code on the web server to escalate their privileges on the system. To execute arbitrary code, the attacker must have local access or the web server must allow clients to upload arbitrary code for execution.
CVE-2019-0215
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
References:
|
NVD: CVE-2019-0215
Impact:
|
Security control bypass
Description:
|
A flaw in the mod_ssl module allows a remote attacker to bypass access control restrictions that use client certificate authentication in TLS 1.3 connections.
CVE-2019-0217
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
References:
|
NVD: CVE-2019-0217
Impact:
|
Security control bypass
Description:
|
A flaw in the mod_auth_digest module allows a remote attacker with valid credentials to authenticate using a different username and bypass access control restrictions.
CVE-2019-0220
Severity / CVSS v3.x:
|
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
References:
|
NVD: CVE-2019-0220
Impact:
|
Unauthorized modification
Description:
|
A flaw in request handling allows a remote attacker to send crafted requests with multiple slashes (‘/’) in the URL path component and modify the behavior of configuration directives that match URL path components against regular expressions.
CVE-2019-9517
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
References:
|
NVD: CVE-2019-9517
Impact:
|
Denial of service
Description:
|
A flaw in the mod_http2 module allows a remote attacker to send requests for large objects and cause denial of service through excessive CPU and/or memory consumption.
CVE-2019-10081
Severity / CVSS v3.x:
|
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
References:
|
NVD: CVE-2019-10081
Impact:
|
Denial of service
Description:
|
A flaw in the mod_http2 module allows a remote attacker to send requests that trigger the HTTP/2 server push functionality and cause denial of service through memory corruption and application crashes. Server Push is a feature of the HTTP/2 protocol that allows the web server to push additional objects to the client when the client requests a different but related object.
CVE-2019-10082
Severity / CVSS v3.x:
|
Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
References:
|
NVD: CVE-2019-10082
Impact:
|
Denial of service
Description:
|
A flaw in the mod_http2 module allows a remote attacker to send requests that trigger read-after-free memory accesses and cause denial of service through application crashes.
CVE-2019-10092
Severity / CVSS v3.x:
|
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References:
|
NVD: CVE-2019-10092
Impact:
|
Cross-site scripting (XSS)
Description:
|
A flaw in the mod_proxy module allows a remote attacker to target a web server user with a crafted link and execute arbitrary code in the user’s web browser. The web server must have proxying enabled and be misconfigured in order to show a proxy error page.
CVE-2019-10097
Severity / CVSS v3.x:
|
High / 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
References:
|
NVD: CVE-2019-10097
Impact:
|
Denial of service
Description:
|
A flaw in the mod_remoteip module allows a malicious downstream proxy to send crafted PROXY headers and cause denial of service through memory corruption and application crashes.
CVE-2019-10098
Severity / CVSS v3.x:
|
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References:
|
NVD: CVE-2019-10098
Impact:
|
Open redirection
Description:
|
A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user’s web browser to an arbitrary URL. This vulnerability is different from CVE-2020-1927.
CVE-2020-1927
Severity / CVSS v3.x:
|
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
References:
|
NVD: CVE-2020-1927
Impact:
|
Open redirection
Description:
|
A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user’s web browser to an arbitrary URL. This vulnerability is different from CVE-2019-10098.
CVE-2020-1934
Severity / CVSS v3.x:
|
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
References:
|
NVD: CVE-2020-1934
Impact:
|
Information disclosure
Description:
|
A flaw in the mod_proxy_ftp module allows a remote attacker to connect through the web server to a malicious FTP server and obtain limited contents from the web server process’ memory. The target web server must be configured to act as a proxy to a malicious FTP server.
References
Apache 2.4 Security Vulnerabilities - <http://httpd.apache.org/security/vulnerabilities_24.html>
Revisions
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable.
2020-06-18 initial public release
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C