Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM14B3F9EB98A8E27CF7244597E68B5F0E86C34BCDEFBA986C2D600145A4C5CCFB
HistoryJan 17, 2022 - 6:35 p.m.

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452)

2022-01-1718:35:14
www.ibm.com
32

0.052 Low

EPSS

Percentile

93.1%

JSON

Summary

IBM Rational Build Forge version 8.0.x is affected by CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452

Vulnerability Details

CVEID:CVE-2021-31618
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in the HTTP/2 protocol handler. By sending a specially crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203466 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-13950
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending specially crafted requests using both Content-Length and Transfer-Encoding headers, a remote attacker could exploit this vulnerability to crash mod_proxy_http.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-17567
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by mod_proxy_wstunnel being configured on an URL that is not necessarily upgraded by the origin server. An attacker could exploit this vulnerability to allow requests on the same connection to pass through with no HTTP validation, authentication or authorization.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-26691
DESCRIPTION:
CVSS Base score: 5.6
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-26690
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference. A remote attacker could exploit this vulnerability using a specially crafted Cookie header handled by mod_session to cause the system to crash.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203464 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-13938
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by the improper handling of insufficient privileges. A local attacker could exploit this vulnerability to stop httpd on Windows, resulting in a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203460 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-30641
**DESCRIPTION:**Apache HTTP Server could provide weaker than expected security, caused by unexpected URL matching behavior with 'MergeSlashes OFF. An attacker could exploit this vulnerability to match URLs from all sites in the same domain and launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203459 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-35452
**DESCRIPTION:**Apache HTTP Server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by mod_auth_digest. By using a specially crafted Digest nonce, a remote attacker could overflow a buffer and possibly launch further attacks on the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203463 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Build Forge 8.0 - 8.0.0.20

Remediation/Fixes

You must download the fix pack specified in the following table and apply it.

Affected Supporting Product(s)

|

Remediation/Fix

—|—

IBM Rational Build Forge 8.0 to 8.0.0.20

|

Download IBM Rational Build Forge 8.0.0.21.

The fix includes Apache-HTTP-Server-2.4.52

Workarounds and Mitigations

None

CPENameOperatorVersion
rational build forge familyeq8.0.0.21

Related

nessus 47
kaspersky 1
amazon 4
freebsd 1
openvas 33
slackware 1
mageia 1
photon 5
gentoo 1
suse 2
ibm 19
debian 2
ubuntu 2
osv 17
fedora 4
ubuntucve 4
rocky 1
redhat 4
almalinux 1
oraclelinux 3
attackerkb 3
rosalinux 1
debiancve 4
cbl_mariner 4
cvelist 4
nvd 4
cve 2
veracode 4
redhatcve 4
alpinelinux 5
httpd 3
prion 4
f5 3
vulnrichment 1
nessus
nessus
Amazon Linux 2 : httpd (ALAS-2021-1659)
2021-06-24 00:00:00
Apache 2.4.x < 2.4.48 Multiple Vulnerabilities
2021-06-15 00:00:00
FreeBSD : Apache httpd -- Multiple vulnerabilities (cce76eca-ca16-11eb-9b84-d4c9ef517024)
2021-06-25 00:00:00
kaspersky
kaspersky
KLA12369 Multiple vulnerabilities in Apache HTTP Server
2021-06-01 00:00:00
amazon
amazon
Important: httpd
2021-06-16 20:37:00
Medium: httpd24
2021-07-08 18:38:00
Medium: httpd
2021-07-01 00:59:00
freebsd
freebsd
Apache httpd -- Multiple vulnerabilities
2021-06-09 00:00:00
openvas
openvas
Slackware: Security Advisory (SSA:2021-158-01)
2022-04-21 00:00:00
Mageia: Security Advisory (MGASA-2021-0265)
2022-01-28 00:00:00
openSUSE: Security Advisory for apache2 (openSUSE-SU-2021:0908-1)
2021-06-25 00:00:00
slackware
slackware
[slackware-security] httpd
2021-06-07 19:07:12
mageia
mageia
Updated apache packages fix security vulnerabilities
2021-06-16 23:22:25
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-2.0-0365
2021-06-30 00:00:00
Important Photon OS Security Update - PHSA-2021-0257
2021-06-22 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0409
2021-07-01 00:00:00
gentoo
gentoo
Apache: Multiple vulnerabilities
2021-07-17 00:00:00
suse
suse
Security update for apache2 (important)
2021-07-10 00:00:00
Security update for apache2 (important)
2021-06-24 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM i
2021-09-24 22:34:57
Security Bulletin: Multiple security vulnerabilities have been identified in IBM HTTP Server shipped with IBM Rational ClearCase (CVE-2020-13938, CVE-2021-30641, CVE-2021-26690, CVE-2021-26691)
2021-09-16 06:03:38
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal
2021-10-07 06:28:11
debian
debian
[SECURITY] [DSA 4937-1] apache2 security update
2021-07-08 17:14:14
[SECURITY] [DLA 2706-1] apache2 security update
2021-07-09 08:50:21
ubuntu
ubuntu
Apache HTTP Server vulnerabilities
2021-06-21 00:00:00
Apache HTTP Server vulnerabilities
2021-06-21 00:00:00
osv
osv
apache2 vulnerabilities
2021-06-21 14:01:37
apache2 - security update
2021-07-08 00:00:00
apache2 vulnerabilities
2021-06-21 15:25:05
fedora
fedora
[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35
2021-09-24 20:56:12
[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34
2021-09-20 13:58:04
[SECURITY] Fedora 33 Update: mod_http2-1.15.19-1.fc33
2021-06-20 01:07:30
ubuntucve
ubuntucve
CVE-2020-13950
2021-06-10 00:00:00
CVE-2020-13938
2021-06-10 00:00:00
CVE-2021-31618
2021-06-15 00:00:00
rocky
rocky
httpd:2.4 security, bug fix, and enhancement update
2021-11-09 08:52:38
redhat
redhat
(RHSA-2021:4257) Moderate: httpd:2.4 security, bug fix, and enhancement update
2021-11-09 08:52:38
(RHSA-2021:4613) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP10 security update
2021-11-10 17:09:50
(RHSA-2021:4614) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP10 security update
2021-11-10 17:10:19
almalinux
almalinux
Moderate: httpd:2.4 security, bug fix, and enhancement update
2021-11-09 08:52:38
oraclelinux
oraclelinux
httpd:2.4 security, bug fix, and enhancement update
2021-11-16 00:00:00
httpd:2.4 security update
2022-06-24 00:00:00
httpd security update
2021-11-04 00:00:00
attackerkb
attackerkb
CVE-2020-1934
2020-04-01 00:00:00
CVE-2017-15715
2018-03-26 00:00:00
CVE-2011-3192
2011-08-29 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2159
2023-04-25 11:49:15
debiancve
debiancve
CVE-2019-17567
2021-06-10 07:15:07
CVE-2020-13938
2021-06-10 07:15:07
CVE-2021-31618
2021-06-15 09:15:07
cbl_mariner
cbl_mariner
CVE-2020-13950 affecting package httpd 2.4.46-6
2021-07-08 21:56:40
CVE-2019-17567 affecting package httpd for versions less than 2.4.52-1
2022-04-09 06:51:57
CVE-2019-17567 affecting package httpd 2.4.46-6
2021-10-15 04:46:31
cvelist
cvelist
CVE-2020-13938 Improper Handling of Insufficient Privileges
2021-06-10 07:10:20
CVE-2020-35452 mod_auth_digest possible stack overflow by one nul byte
2021-06-10 07:10:21
CVE-2020-13950 mod_proxy_http NULL pointer dereference
2021-06-10 07:10:21
nvd
nvd
CVE-2019-17567
2021-06-10 07:15:07
CVE-2020-13938
2021-06-10 07:15:07
CVE-2021-31618
2021-06-15 09:15:07
cve
cve
CVE-2019-17567
2021-06-10 07:15:07
CVE-2020-13938
2021-06-10 07:15:07
veracode
veracode
Privilege Escalation
2021-06-13 22:57:31
Privilege Escalation
2021-07-11 18:17:25
Denial Of Service (DoS)
2021-06-13 08:39:49
redhatcve
redhatcve
CVE-2020-13938
2021-06-09 15:44:30
CVE-2019-17567
2021-06-08 03:49:47
CVE-2020-13950
2021-06-08 03:49:50
alpinelinux
alpinelinux
CVE-2020-13938
2021-06-10 07:15:07
CVE-2020-35452
2021-06-10 07:15:07
CVE-2021-31618
2021-06-15 09:15:07
httpd
httpd
Apache Httpd < 2.4.48 : Improper Handling of Insufficient Privileges
2021-01-26 00:00:00
Apache Httpd < 2.4.48 : mod_auth_digest possible stack overflow by one nul byte
2020-11-11 00:00:00
Apache Httpd < 2.4.48 : mod_proxy_wstunnel tunneling of non Upgraded connections
2019-10-05 00:00:00
prion
prion
Code injection
2021-06-10 07:15:00
Authentication flaw
2021-06-10 07:15:00
Stack overflow
2021-06-10 07:15:00
f5
f5
K38453823 : Apache vulnerability CVE-2021-31618
2021-06-23 00:00:00
K87323016 : Apache mod_proxy vulnerability CVE-2020-13950
2022-05-17 00:00:00
K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567
2023-04-14 00:00:00
vulnrichment
vulnrichment
CVE-2021-31618 NULL pointer dereference on specially crafted HTTP/2 request
2021-06-15 00:00:00

0.052 Low

EPSS

Percentile

93.1%

JSON
Related for 14B3F9EB98A8E27CF7244597E68B5F0E86C34BCDEFBA986C2D600145A4C5CCFB
nessus47kaspersky1amazon4freebsd1openvas33slackware1mageia1photon5gentoo1suse2ibm19debian2ubuntu2osv17fedora4ubuntucve4rocky1redhat4almalinux1oraclelinux3attackerkb3rosalinux1debiancve4cbl_mariner4cvelist4nvd4cve2veracode4redhatcve4alpinelinux5httpd3prion4f53vulnrichment1