oss-sec mailing list archives
CVE-2019-0220: URL normalization inconsistincies
From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:27 -0500
CVE-2019-0220: URL normalization inconsistincies Severity: Low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.39 Description: When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Mitigation: Regular expressions used in directives that match against the path component of the request URL can be modified to account for multiple consecutive slashes. Credit: The issue was discovered by Bernhard Lorenz <bernhard.lorenz () alphastrike io> of Alpha Strike Labs GmbH". References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2019-0220: URL normalization inconsistincies Daniel Ruggeri (Apr 02)