CVE-2020-11993

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Published: Aug 7, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-11993
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-444

Affected Software
References

Software	From	Fixed in
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	20.04	20.04.x
opensuse / leap	15.1	15.1.x
opensuse / leap	15.2	15.2.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
oracle / instantis_enterprisetrack	17.1	17.1.x
oracle / instantis_enterprisetrack	17.2	17.2.x
oracle / instantis_enterprisetrack	17.3	17.3.x
oracle / hyperion_infrastructure_technology	11.1.2.4	11.1.2.4.x
oracle / enterprise_manager_ops_center	12.4.0.0	12.4.0.0.x
oracle / communications_session_route_manager	8.2.0	8.2.2.x
oracle / communications_session_report_manager	8.2.0	8.2.2.x
oracle / communications_element_manager	8.2.0	8.2.2.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
apache / http_server	2.4.20	2.4.44

Vulnerability Database

289,599

CVE-2020-11993