Multiple vulnerabilities in Apache Httpd
CVE : CVE-2019-0211, CVE-2019-0215, CVE-2019-0217
CVE-Score: 8.2
Sources
https://httpd.apache.org/security/vulnerabilities_24.html
Risks
Users with limited permissions on the server might be able to elevate their privileges using scripts, making it possible to run commands on vulnerable Apache web servers as root.
Description
On Apache HTTP Server 2.4, from version 2.4.17 to 2.4.38, code running secondary processes with lesser privileges could execute arbitrary code with root privileges using manipulation of the scoreboard functionality of its mod_status module.
Non-Unix systems are not affected by this vulnerability.
Two other vulnerabilities, CVE-2019-0215 and CVE-2019-0217, could let a malicious actor bypass configured access control restrictions. All OS are impacted.
Recommended Actions
CERT.be recommends administrators to update their Apache version to the latest available version.