Vulnerability DatabaseCVE-2020-1927

CVE-2020-1927:
Apache HTTP Server vulnerability analysis and mitigation

Overview

CVE-2020-1927 affects Apache HTTP Server versions 2.4.0 to 2.4.41. The vulnerability involves redirects configured with modrewrite that were intended to be self-referential but could be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL ([Apache Security](https://httpd.apache.org/security/vulnerabilities24.html), Rapid7).

Technical details

The vulnerability has a CVSS v3.1 base score of 6.1 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates it is network accessible, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact confidentiality and integrity but not availability (NVD).

Impact

A successful exploit could allow an attacker to perform redirects to an unexpected URL, potentially leading to open redirect vulnerabilities. This could be used to conduct phishing attacks by redirecting users to malicious sites (Rapid7).

Mitigation and workarounds

Users should upgrade to Apache HTTP Server version 2.4.42 or later which contains the fix for this vulnerability. The issue was fixed in Apache HTTP Server 2.4.42 (Ubuntu Security, Apache Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

6.1

Score

Published April 2, 2020

Severity MEDIUM

CNA Score N/A

Affected Technologies

Apache HTTP Server
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 83.9

Exploitation Probability (EPSS) 2.2

Affected packages and libraries

httpd24-devel
httpd-debuginfo

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Alpine 3.15 Severity MEDIUMHas FixAdded at: Nov 25, 2021
- Alpine 3.16 Severity MEDIUMHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity MEDIUMHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity MEDIUMHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity MEDIUMHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity MEDIUMHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity MEDIUMHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity MEDIUMHas FixAdded at: Jun 01, 2025
- Alpine edge Severity MEDIUMHas FixAdded at: Jun 19, 2023
Debian Security Tracker
- Debian 9, 10 Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Debian 11, 12 Severity LOWHas FixAdded at: Nov 23, 2021
- Debian 13 Severity LOWHas FixAdded at: Jun 11, 2023
- Debian 14 Severity LOWHas FixAdded at: Aug 10, 2025
Photon Security Advisory
- Photon 1.0, 2.0, 3.0 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Red Hat Errata
- Red Hat 7 Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Red Hat 8 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04 Severity LOWHas FixAdded at: Nov 23, 2021
NVD
- Linux Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Windows Severity MEDIUMHas FixAdded at: Nov 23, 2021