CVE-2020-1927 vulnerability in Apache and Other Products
Published on April 2, 2020

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Type

What is an Open Redirect Vulnerability?

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

CVE-2020-1927 has been classified to as an Open Redirect vulnerability or weakness.

Products Associated with CVE-2020-1927

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-1927 are published in these products:

Apache HTTP Server

Fedora Project Fedora

Debian Linux

Canonical Ubuntu Linux

OpenSuse Leap

NetApp Oncommand Unified Manager Core Package

Broadcom Brocade Fabric Operating System

Oracle Communications Element Manager

Oracle Communications Session Report Manager

Oracle Communications Session Route Manager

Oracle Enterprise Manager Ops Center

Oracle Instantis Enterprisetrack

Oracle Sd Wan Aware

Oracle Zfs Storage Appliance Kit

Affected Versions

Apache HTTP Server Version 2.4.0 to 2.4.41 is affected by CVE-2020-1927

Exploit Probability

EPSS

11.30%

Percentile

93.38%