A vulnerability was discovered in Apache httpd, in mod_remoteip. A trusted proxy using the "PROXY" protocol could send specially crafted headers that can cause httpd to experience a stack buffer overflow or NULL pointer dereference, leading to a crash or other potential consequences.
This issue could only be exploited by configured trusted intermediate proxy servers. HTTP clients such as browsers could not exploit the vulnerability.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 2 - Core | httpd | 2019-10-28 17:42 | ALAS2-2019-1341 |
Amazon Linux 1 | httpd24 | 2019-10-18 23:22 | ALAS-2019-1311 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.6 | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
NVD | CVSSv3 | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
NVD | CVSSv2 | 6.0 | AV:N/AC:M/Au:S/C:P/I:P/A:P |