CVE-2020-13938: 
Apache HTTP Server vulnerability analysis and mitigation

CVE-2020-13938 affects Apache HTTP Server versions 2.4.0 to 2.4.46 running on Windows systems. The vulnerability allows unprivileged local users to stop the httpd service on Windows platforms (Apache Advisory, OSS Security). The issue was discovered by Ivan Zhakov and was publicly disclosed in June 2021.

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates a local attack vector with low attack complexity, requiring low privileges and no user interaction. The scope is unchanged, with no impact on confidentiality or integrity, but high impact on availability (NVD).

The primary impact of this vulnerability is on system availability, as it allows unprivileged local users to stop the Apache HTTP Server service on Windows systems. This could result in a denial of service condition, disrupting web services running on the affected server (Apache Advisory).

The vulnerability was fixed in Apache HTTP Server version 2.4.48. Users running affected versions (2.4.0 to 2.4.46) on Windows systems should upgrade to version 2.4.48 or later to address this security issue (Apache Advisory).

Multiple vendors and organizations have acknowledged this vulnerability and issued advisories, including NetApp who assessed the vulnerability in their products and provided mitigation guidance (NetApp Advisory).