There is a spoofing vulnerability in the IBM HTTP Server used by WebSphere Application Server version 9. This vulnerability has been fixed in IBM HTTP Server version 9.0.0.3.
CVEID:CVE-2020-11985
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to conduct spoofing attacks, caused by a flaw when using proxying with mod_remoteip and certain mod_rewrite rules. By sending a specially-crafted request, an attacker could exploit this vulnerability to spoof IP address for logging and PHP scripts. Note: This vulnerability was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
This vulnerability affects the following version and release of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
Affected Product(s) | Version(s) |
---|---|
IBM HTTP Server | 9.0 |
For IBM HTTP Server used by WebSphere Application Server:
For V9.0.0.0 through 9.0.0.2:
ยท Apply Fix Pack 9.0.0.3 or later.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm http server | eq | 9.0 |