CVE-2019-10097

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Published: Sep 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-10097
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / http_server	2.4.33	2.4.33.x
apache / http_server	2.4.37	2.4.37.x
apache / http_server	2.4.38	2.4.38.x
apache / http_server	2.4.34	2.4.34.x
apache / http_server	2.4.35	2.4.35.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / enterprise_manager_ops_center	12.3.3	12.3.3.x
oracle / enterprise_manager_ops_center	12.4.0	12.4.0.x
oracle / instantis_enterprisetrack	17.1	17.3.x
oracle / communications_element_manager	8.2.0	8.2.0.x
oracle / communications_element_manager	8.1.1	8.1.1.x
oracle / communications_element_manager	8.1.0	8.1.0.x
oracle / communications_element_manager	8.0.0	8.0.0.x
oracle / http_server	12.2.1.4.0	12.2.1.4.0.x
oracle / communications_session_report_manager	8.1.1	8.1.1.x
oracle / communications_session_report_manager	8.2.0	8.2.0.x
oracle / communications_session_report_manager	8.2.1	8.2.1.x
oracle / communications_session_route_manager	8.1.1	8.1.1.x
oracle / communications_session_route_manager	8.2.0	8.2.0.x
oracle / communications_session_route_manager	8.2.1	8.2.1.x

Vulnerability Database

289,599

CVE-2019-10097