{
  "threat_severity" : "Low",
  "public_date" : "2020-04-01T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_ftp use of uninitialized value",
    "id" : "1820772",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1820772"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-456",
  "details" : [ "In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.", "A flaw was found in Apache's HTTP server (httpd) .The mod_proxy_ftp module may use uninitialized memory with proxying to a malicious FTP server. The highest threat from this vulnerability is to data confidentiality." ],
  "statement" : "This flaw is caused by use of an uninitialized memory variable. Practically this has no impact, but in some corner cases it is possible that the contents of this variable could be read by a remote process, causing loss of confidentiality as a result of this. There is no evidence of code execution.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2644",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:3958",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "httpd-0:2.4.6-95.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4751",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8030020200818000036.30b713e6"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2020-06-22T00:00:00Z",
    "advisory" : "RHSA-2020:2646",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd24-httpd",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1934\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1934\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2020-1934",
  "csaw" : false
}