Cyber Resilience

CVE-2019-0211

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 April 2019

Published
08 April 2019
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8957 99.6th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-0211 is a high-severity Use After Free (CWE-416) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-39 (Process Isolation).

Deeper analysis

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38 using the event, worker, or prefork MPMs, a use-after-free condition tracked as CWE-416 allows code running in less-privileged child processes or threads, including scripts executed by in-process interpreters, to manipulate the scoreboard and execute arbitrary code with the privileges of the parent process, which is typically root. The flaw is restricted to Unix systems; non-Unix platforms are unaffected. The vulnerability received a CVSS 3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

An attacker who can execute code within a worker or script context, such as through a compromised CGI script or in-process module, can leverage the scoreboard to escalate privileges to those of the parent httpd process. Successful exploitation grants full control over the server process, enabling actions such as reading or modifying any file accessible to root and potentially compromising the entire host.

Advisories from OpenSUSE and Slackware, along with exploit references on PacketStorm, point to vendor updates that address the issue in affected packages; administrators are expected to apply the corresponding httpd patches to eliminate the scoreboard manipulation vector.

EU & UK References

Vulnerability details

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the…

more

parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.17 — 2.4.38
fedoraproject
fedora
28, 29, 30
canonical
ubuntu linux
14.04, 16.04, 18.04, 18.10
debian
debian linux
9.0
opensuse
leap
15.0, 42.3
netapp
oncommand unified manager
all versions
redhat
jboss core services
1.0
redhat
openshift container platform
3.11
redhat
openshift container platform for power
3.11_ppc64le
redhat
software collections
1.0
+17 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the failure of process isolation that lets a child/worker manipulate the shared scoreboard to escalate to the parent (root) process.

prevent

Enforces least privilege so that worker/child processes and in-process interpreters cannot obtain the parent process's root rights even if the scoreboard is manipulated.

prevent

Requires timely application of the vendor patch that eliminates the use-after-free scoreboard flaw in the affected Apache MPMs.

References