CVE-2020-11984: 
Apache HTTP Server vulnerability analysis and mitigation

A vulnerability was discovered in Apache HTTP Server versions 2.4.32 to 2.4.44 affecting the modproxyuwsgi module. The vulnerability (CVE-2020-11984) was discovered by Felix Wilhelm of Google Project Zero and disclosed in August 2020. The issue affects the modproxyuwsgi module which does not properly handle large headers, potentially leading to information disclosure and possible remote code execution (Apache Httpd).

The vulnerability exists in the modproxyuwsgi module where the uwsgi protocol does not serialize more than 16K of HTTP header, leading to a buffer overflow condition. This could allow an attacker to cause information disclosure or potentially achieve remote code execution under certain conditions (Red Hat CVE).

The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A successful exploit could lead to information disclosure of sensitive data and potential remote code execution on affected systems (Rapid7).

The recommended mitigation is to upgrade to Apache HTTP Server version 2.4.46 or later which contains the fix for this vulnerability. As a temporary workaround, administrators can disable the modproxyuwsgi module if it is not required (Ubuntu Security).

The vulnerability received significant attention from the security community due to its critical severity rating. The Apache security team initially provided limited details to allow downstream packagers time to incorporate fixes, though this approach was criticized by some security researchers as potentially harmful to the patching process (OpenWall Discussion).