Public Date:
1694980: CVE-2019-0211 httpd: privilege escalation from modules scripts
A flaw was found in Apache where code executing in a less-privileged child process or thread could execute arbitrary code with the privilege of the parent process (usually root). An attacker having access to run arbitrary scripts on the web server (PHP, CGI etc) could use this flaw to run code on the web server with root privileges.

Find out more about CVE-2019-0211 from the MITRE CVE dictionary dictionary and NIST NVD.


This flaw is exploitable in httpd if it is configured to allow an untrusted user to upload and execute arbitrary scripts. Due to the nature of the flaw, the uploaded script would not run as a restricted privileged user, but rather it runs as root allowing for privilege escalation from the restricted user to root on the web server.

Depending on the configuration of the server, you would need local (AV:L) privileges to place the script or network (AV:N) privileges if the server ran an application that permitted uploading scripts directly. The latter scenario is not common for unauthenticated users. Once the attacker can place the script somewhere in the web root where it can be easily exploited (AC:L). This type of setup is more common in shared hosted environments (PR:L) and would allow an attacker with access to a site on the shared hosted to impact the confidentiality, integrity, and availability (CIA:H) with no interaction (UI:N). Due to the elevated privileges obtained, there is an impact to the system beyond the web server itself (S:C).

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Core Services 1 RHSA-2019:1543 2019-06-18
Red Hat JBoss Core Services on RHEL 6 Server RHSA-2019:1297 2019-05-30
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) RHSA-2019:0746 2019-04-11
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) RHSA-2019:0746 2019-04-11
Red Hat JBoss Core Services 1 RHSA-2019:1296 2019-05-30
Red Hat Enterprise Linux 8 (httpd:2.4) RHSA-2019:0980 2019-05-07
Red Hat JBoss Core Services on RHEL 7 Server RHSA-2019:1297 2019-05-30

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat JBoss Web Server 3 httpd Not affected
Red Hat JBoss EWS 2 httpd Out of support scope
Red Hat Enterprise Linux 7 httpd Not affected
Red Hat Enterprise Linux 6 httpd Not affected
Red Hat Enterprise Linux 5 httpd Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified