{
  "threat_severity" : "Moderate",
  "public_date" : "2020-04-01T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_rewrite configurations vulnerable to open redirect",
    "id" : "1820761",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1820761"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-601",
  "details" : [ "In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.", "A flaw was found in Apache HTTP Server (httpd) versions 2.4.0 to 2.4.41. Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirected instead to an unexpected URL within the request URL." ],
  "statement" : "This issue only affects httpd versions between 2.4.0 and 2.4.41. Therefore Red Hat Enterprise Linux 5 and 6 are not affected by this flaw.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services Apache HTTP Server 2.4.37 SP2",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1336",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "httpd"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:3958",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "httpd-0:2.4.6-95.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4751",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8030020200818000036.30b713e6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "httpd24-httpd-0:2.4.34-18.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-18.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-mod_md-1:2.0.8-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-18.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-mod_md-1:2.0.8-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-18.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS",
    "release_date" : "2020-05-26T00:00:00Z",
    "advisory" : "RHSA-2020:2263",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-mod_md-1:2.0.8-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1927\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1927\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2020-1927",
  "csaw" : false
}