Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service. Reference: https://svn.apache.org/r1678771
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Application Platform 6 * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1969234]
(In reply to Pedro Sampaio from comment #0) > In Apache httpd before 2.4.48 mod_proxy has a NULL pointer dereference. Please correct me if I'm wrong, I think version 2.4.48 might be susceptible to the same bug at this line [0]. [0] https://github.com/apache/httpd/blob/c37a3162d1c0aeb6f3b80e831243daf61596ac87/modules/proxy/mod_proxy_http.c#L456
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13950
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5163 https://access.redhat.com/errata/RHSA-2022:5163