Vulnerability Description
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.0, <= 2.4.39 |
| Opensuse | Leap | 15.0 |
| Debian | Debian Linux | 8.0 |
| Redhat | Software Collection | 1.0 |
| Fedoraproject | Fedora | 30 |
| Canonical | Ubuntu Linux | 16.04 |
| Netapp | Clustered Data Ontap | <= 9.5 |
| Oracle | Communications Element Manager | 8.0.0 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Secure Global Desktop | 5.4 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.htmlMailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/08/15/4Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2020/08/08/1Mailing List
- http://www.openwall.com/lists/oss-security/2020/08/08/9Mailing List
- https://access.redhat.com/errata/RHSA-2019:4126Third Party Advisory
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-10092-Limited%ExploitThird Party Advisory
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
- https://lists.apache.org/thread.html/73768e31e0fcae03e12f5aa87da1cb26dece39327f3
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f60
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda
- https://lists.apache.org/thread.html/r0a83b112cd9701ef8a2061c8ed557f3dc9bb774d4d
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8
FAQ
What is CVE-2019-10092?
CVE-2019-10092 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead...
How severe is CVE-2019-10092?
CVE-2019-10092 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10092?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Opensuse Leap, Debian Debian Linux, Redhat Software Collection, Fedoraproject Fedora.