| Name | CVE-2019-10092 |
| Description | In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1900-1, DSA-4509-1, DSA-4509-3 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | jessie, jessie (lts) | 2.4.10-10+deb8u29 | fixed |
| stretch (security) | 2.4.25-3+deb9u13 | fixed | |
| stretch (lts), stretch | 2.4.25-3+deb9u19 | fixed | |
| buster, buster (lts) | 2.4.59-1~deb10u4 | fixed | |
| buster (security) | 2.4.59-1~deb10u1 | fixed | |
| bullseye | 2.4.62-1~deb11u1 | fixed | |
| bullseye (security) | 2.4.62-1~deb11u2 | fixed | |
| bookworm (security), bookworm | 2.4.62-1~deb12u2 | fixed | |
| sid, trixie | 2.4.62-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | wheezy | (not affected) | |||
| apache2 | source | jessie | 2.4.10-10+deb8u15 | DLA-1900-1 | ||
| apache2 | source | stretch | 2.4.25-3+deb9u9 | DSA-4509-3 | ||
| apache2 | source | buster | 2.4.38-3+deb10u3 | DSA-4509-3 | ||
| apache2 | source | (unstable) | 2.4.41-1 |
Affects upstream versions 2.4.0 to 2.4.39
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10092
https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c5
https://svn.apache.org/r1864191
Regression: https://bugs.debian.org/941202
[wheezy] - apache2 <not-affected> (vulnerable code introduced in 2.4)