VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-9u3h-a9qk-aaab

Essentials
Severities (83)
References (51)
Severity details (25)
Exploits (1)
EPSS
History (0)

Vulnerability ID	VCID-9u3h-a9qk-aaab
Aliases	CVE-2019-10098
Summary	In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
Status	Published
Exploitability	2.0
Weighted Severity	7.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

System	Score	Found at
generic_textual	Low	http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10098.html
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:1336
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:1337
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:2263
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:3958
rhas	Moderate	https://access.redhat.com/errata/RHSA-2020:4751
cvssv3	3.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10098.json
epss	0.19751	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21029	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21190	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21190	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21190	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.21190	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.71372	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.71372	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.74556	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.79248	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.81459	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
epss	0.82493	https://api.first.org/data/v1/epss?cve=CVE-2019-10098
rhbs	low	https://bugzilla.redhat.com/show_bug.cgi?id=1743959
generic_textual	Medium	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
generic_textual	Low	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082
generic_textual	Low	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
generic_textual	Low	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098
generic_textual	Medium	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
cvssv3	8.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd	low	https://httpd.apache.org/security/json/CVE-2019-10098.json
cvssv3.1	7.5	https://httpd.apache.org/security/vulnerabilities_24.html
generic_textual	HIGH	https://httpd.apache.org/security/vulnerabilities_24.html
cvssv2	5.8	https://nvd.nist.gov/vuln/detail/CVE-2019-10098
cvssv3	6.1	https://nvd.nist.gov/vuln/detail/CVE-2019-10098
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2019-10098
generic_textual	Medium	https://ubuntu.com/security/notices/USN-4113-1
generic_textual	Low	https://usn.ubuntu.com/usn/usn-4113-1
generic_textual	Low	https://www.openwall.com/lists/oss-security/2019/08/15/6
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpuapr2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpuapr2020.html
cvssv3.1	7.5	https://www.oracle.com/security-alerts/cpuApr2021.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpuApr2021.html
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpujan2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpujan2020.html
cvssv3.1	9.8	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
generic_textual	CRITICAL	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Reference id	Reference type	URL
		http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10098.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10098.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-10098
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://httpd.apache.org/security/vulnerabilities_24.html
		https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r5d12ffc80685b0df1d6801e68000a7707dd694fe32e4f221de67c210@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r5d12ffc80685b0df1d6801e68000a7707dd694fe32e4f221de67c210%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
		https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
		https://ubuntu.com/security/notices/USN-4113-1
		https://usn.ubuntu.com/usn/usn-4113-1
		https://www.openwall.com/lists/oss-security/2019/08/15/6
		https://www.oracle.com/security-alerts/cpuapr2020.html
		https://www.oracle.com/security-alerts/cpuApr2021.html
		https://www.oracle.com/security-alerts/cpujan2020.html
		https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
		http://www.openwall.com/lists/oss-security/2020/04/01/4
1743959		https://bugzilla.redhat.com/show_bug.cgi?id=1743959
cpe:2.3:a:apache:http_server::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:http_server::::::::
CVE-2019-10098	Exploit	https://0day.work/open-redirects-in-improperly-configured-mod_rewrite-rules-poc-for-cve-2019-10098/
CVE-2019-10098	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/47689.md
CVE-2019-10098		https://httpd.apache.org/security/json/CVE-2019-10098.json
CVE-2019-10098		https://nvd.nist.gov/vuln/detail/CVE-2019-10098
RHSA-2020:1336		https://access.redhat.com/errata/RHSA-2020:1336
RHSA-2020:1337		https://access.redhat.com/errata/RHSA-2020:1337
RHSA-2020:2263		https://access.redhat.com/errata/RHSA-2020:2263
RHSA-2020:3958		https://access.redhat.com/errata/RHSA-2020:3958
RHSA-2020:4751		https://access.redhat.com/errata/RHSA-2020:4751

Data source	Exploit-DB
Date added	Nov. 19, 2019
Description	Apache Httpd mod_rewrite - Open Redirects
Ransomware campaign use	Unknown
Source publication date	Oct. 14, 2019
Exploit type	webapps
Platform	multiple
Source update date	Nov. 19, 2019
Source URL	https://0day.work/open-redirects-in-improperly-configured-mod_rewrite-rules-poc-for-cve-2019-10098/

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10098.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://httpd.apache.org/security/vulnerabilities_24.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10098

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10098

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10098

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuapr2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.oracle.com/security-alerts/cpuApr2021.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.96435
EPSS Score	0.19751
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.