Apache – CVE-2020-9490

Description

Kayran has detected that the Version of Apache HTTP Server being used is vulnerable to a ‘Push Diary Crash on a Specifically Crafted HTTP/2 Header’.
CVE-2020-9490 is categorized as a ‘Inconsistent Interpretation of HTTP Requests’ vulnerability, otherwise known as ‘HTTP Request/Response Smuggling’ (CWE-444).

CWE-444 occurs when the product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server.
But in fact, it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages should be processed by those entities that are at the ultimate destination.

In the version being used, a specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request could result in crashes. Which could happen when the server is actually trying to HTTP/2 PUSH a resource afterwards.

It could lead to a decrease in performance and interruptions in the availability of resources.

Recommendation

Configuring the HTTP/2 feature by toggling “H2Push off” could mitigate CVE-2020-9490 for any unpatched servers.
Also, upgrade the version of Apache HTTP Server being used to 2.4.44.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490

https://cwe.mitre.org/data/definitions/444.html

< Return to all Vulnerabilities

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 30,000+ vulnerabilities.Kayran’s mission is to make

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »