CVE DATABASE / CVE-2019-0211

CVE-2019-0211

Apache HTTP Server Privilege Escalation Vulnerability

CVSS 7.8 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2021-11-03. Federal remediation due 2022-05-03.
Required action: Apply updates per vendor instructions.

Summary

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CVSS 3.1 breakdown

Base score	7.8 (HIGH)
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack vector	LOCAL
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-416

Affected products

Apache http serverFedoraproject fedoraCanonical ubuntu linuxDebian debian linuxOpensuse leapNetapp oncommand unified managerRedhat jboss core servicesRedhat openshift container platformRedhat openshift container platform for powerRedhat software collectionsRedhat enterprise linuxRedhat enterprise linux eusRedhat enterprise linux for arm 64Redhat enterprise linux for arm 64 eusRedhat enterprise linux for ibm z systemsRedhat enterprise linux for ibm z systems eusRedhat enterprise linux for power little endianRedhat enterprise linux for power little endian eusRedhat enterprise linux server ausRedhat enterprise linux server tus

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2025-10-27. Always verify against the vendor advisory before acting.