CVE-2020-35452

Description

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow

How to fix CVE-2020-35452

To remediate CVE-2020-35452, upgrade the affected package to a fixed version below.

• —upgrade to 2.4.48-r0 or later
• —upgrade to 2.4.47 or later
• —upgrade to 2.4.46-6 or later
• —upgrade to 2.4.38-3+deb10u5 or later

Is CVE-2020-35452 being exploited?

Moderate — EPSS is 6.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (4)

• from 0, < 2.4.48-r0
• >= 2.4.0, < 2.4.47
• from 0, < 2.4.46-6
• from 0, < 2.4.38-3+deb10u5

CVSS scores

References (15)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-35452
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-35452
• WEBhttpd.apache.org/security/vulnerabilities_24.html
• WEBlists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E