CVE-2020-1934

Description

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

How to fix CVE-2020-1934

To remediate CVE-2020-1934, upgrade the affected package to a fixed version below.

• Alpine/apache2—upgrade to 2.4.43-r0 or later
• Bitnami/apache—upgrade to 2.4.42 or later
• Debian/apache2—upgrade to 2.4.43-1 or later

Is CVE-2020-1934 being exploited?

Moderate — EPSS is 27.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 2.4.43-r0
• >= 2.4.0, < 2.4.42
• from 0, < 2.4.43-1

CVSS scores

References (26)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-1934
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1934
• WEBlists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html
• WEBhttpd.apache.org/security/vulnerabilities_24.html