Vulnerability CVE-2020-13938 - CERT Civis.Net

Vulnerability Name:

CVE-2020-13938 (CCN-203460)

Assigned:

2020-06-08

Published:

2021-06-01

Updated:

2022-04-15

Summary:

Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2020-13938

Source: CCN
Type: Apache Web site
moderate: Improper Handling of Insufficient Privileges

Source: CONFIRM
Type: Release Notes, Vendor Advisory
N/A

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20210609 CVE-2020-13938: Apache httpd: Improper Handling of Insufficient Privileges

Source: XF
Type: UNKNOWN
apache-cve202013938-dos(203460)

Source: CONFIRM
Type: Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10379

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-announce] 20210609 CVE-2020-13938: Improper Handling of Insufficient Privileges

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

Source: CONFIRM
Type: Mailing List, Release Notes, Vendor Advisory
N/A

Source: CCN
Type: oss-sec Mailing List, Wed, 09 Jun 2021 23:11:00 +0200
CVE-2020-13938: Apache httpd: Improper Handling of Insufficient Privileges

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/

Source: CCN
Type: IBM Security Bulletin 6464029 (HTTP Server)
Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6485593 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6494731 (Security SiteProtector System)
IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities (CVE-2020-13938, CVE-2021-30641)

Source: CCN
Type: IBM Security Bulletin 6497041 (Netezza Performance Portal)
Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal

Source: CCN
Type: IBM Security Bulletin 6541328 (Rational Build Forge)
IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452)

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:http_server:*:*:*:*:*:*:*:* (Version >= 2.4.0 and <= 2.4.46)

AND

cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:* (Version < 5.10.0)

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_11:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_12:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*

OR cpe:/a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*

Configuration 3:

cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:http_server:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.6:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.17:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.29:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.28:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.34:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.35:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.39:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.41:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.43:*:*:*:*:*:*:*

OR cpe:/a:apache:http_server:2.4.46:*:*:*:*:*:*:*

AND

cpe:/a:ibm:http_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:http_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:http_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_siteprotector_system:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:security_siteprotector_system:3.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable