According to the experts from the International Institute of Cyber Security (IICS), the best ethical hacking institute, critical privilege escalation vulnerability in the Apache HTTP server allows users with permission to enter and run scripts get root privileges on Unix systems; according to the company, the flaw was corrected in its last update.
The vulnerability in question, tracked as CVE-2019-0211, affects all Apache HTTP Server implementations from the 2.4.17 version to 2.4.38; according to the experts from the best ethical hacking institute, this flaw makes it possible to run arbitrary code.
The Apache Software Foundation founders mentioned through a statement that the vulnerability was corrected in the latest update; in addition, they add that the flaw is especially critical if the web server used to run shared hosting instances.
“In the 2.4.17 to 2.4.38 versions of Apache HTTP Server 2.4, code that runs on secondary processes or threads that require lesser privileges (including scripts executed by a script interpreter in process) could execute arbitrary code with root privileges using scoreboard manipulation. It is important to note that non-Unix systems are safe from the exploitation of this vulnerability “, mentions the Apache Software statement.
Apache Software managers mentioned that users with limited permissions on the server could perform a privilege escalation using scripts to execute commands on the servers committed as root users.
In addition, two security errors were corrected, the experts from the best ethical hacking institute mentioned. The first one, tracked as CVE-2019-0217, allowed users with valid login credentials to log using a different username. On the other hand, CVE-2019-0215 allowed customers with Post-Authentication Handshake support to avoid previously configured access control restrictions.
In addition to the above mentioned vulnerabilities, Apache Software Foundation corrected three other vulnerabilities of medium severity.