The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-11984

CVE-2020-11984: Apache HTTP Server RCE Vulnerability

CVE-2020-11984 is a remote code execution flaw in Apache HTTP Server's mod_proxy_uwsgi module affecting versions 2.4.32 to 2.4.44. This post covers the technical details, affected versions, impact, and mitigation.

Published: March 11, 2026

CVE-2020-11984 Overview

CVE-2020-11984 is a buffer overflow vulnerability in Apache HTTP Server versions 2.4.32 through 2.4.44, specifically affecting the mod_proxy_uwsgi module. This vulnerability enables information disclosure and potentially allows remote code execution (RCE). The flaw exists in how the module handles specially crafted requests when proxying to a uWSGI backend, allowing attackers to overflow a buffer and potentially take complete control of affected systems.

Critical Impact

This vulnerability allows unauthenticated remote attackers to potentially achieve remote code execution or extract sensitive information from Apache HTTP Server instances using mod_proxy_uwsgi, representing a severe threat to web infrastructure security.

Affected Products

  • Apache HTTP Server 2.4.32 to 2.4.44
  • NetApp Clustered Data ONTAP
  • Canonical Ubuntu Linux 16.04 LTS, 18.04 LTS, 20.04 LTS
  • Debian Linux 9.0 and 10.0
  • Fedora 31 and 32
  • openSUSE Leap 15.1 and 15.2
  • Oracle Communications Element Manager
  • Oracle Communications Session Report Manager
  • Oracle Communications Session Route Manager
  • Oracle Enterprise Manager Ops Center 12.4.0.0
  • Oracle Hyperion Infrastructure Technology 11.1.2.4
  • Oracle Instantis EnterpriseTrack 17.1, 17.2, 17.3
  • Oracle ZFS Storage Appliance Kit 8.8

Discovery Timeline

  • August 7, 2020 - CVE-2020-11984 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-11984

Vulnerability Analysis

This vulnerability resides in the mod_proxy_uwsgi module of Apache HTTP Server, which provides proxy functionality for uWSGI application servers. The root issue is a classic buffer overflow (CWE-120) that occurs when the module improperly handles request data during the proxy operation.

When Apache HTTP Server is configured to proxy requests to a uWSGI backend using mod_proxy_uwsgi, malformed or oversized request data can overflow internal buffers. This memory corruption can lead to two primary exploitation scenarios: information disclosure, where an attacker can read memory contents beyond intended boundaries, and remote code execution, where careful manipulation of overflowed data can hijack program execution flow.

The vulnerability requires no authentication and can be exploited remotely over the network, making it particularly dangerous for internet-facing Apache installations using uWSGI proxying. Given the widespread deployment of Apache HTTP Server and the popularity of Python web applications using uWSGI, this vulnerability has broad potential impact.

Root Cause

The vulnerability stems from improper bounds checking when processing request data in the mod_proxy_uwsgi module (CWE-120: Buffer Copy without Checking Size of Input). The module fails to properly validate the size of incoming request data before copying it into a fixed-size buffer, allowing attackers to write beyond allocated memory boundaries.

Attack Vector

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to an Apache HTTP Server configured with mod_proxy_uwsgi enabled. The attack is network-based and requires no user interaction or authentication. The attacker crafts requests with oversized or malformed data designed to overflow the vulnerable buffer in the proxy module. Upon successful exploitation, the attacker may leak sensitive memory contents or achieve arbitrary code execution with the privileges of the Apache HTTP Server process.

The exploitation mechanism involves manipulating the uWSGI protocol headers or request body in a way that causes the buffer overflow when Apache processes and forwards the request to the backend uWSGI server. For detailed technical analysis, refer to the Packet Storm Exploit Analysis.

Detection Methods for CVE-2020-11984

Indicators of Compromise

  • Unexpected crashes or segmentation faults in Apache HTTP Server processes, particularly httpd worker processes
  • Abnormal memory consumption patterns in Apache processes handling proxied requests
  • Suspicious HTTP requests with unusually large headers or body content targeting uWSGI proxy endpoints
  • Evidence of memory corruption or unexpected data in Apache error logs

Detection Strategies

  • Monitor Apache error logs for segmentation faults, memory allocation errors, or unexpected process terminations
  • Implement web application firewall (WAF) rules to detect and block oversized or malformed HTTP requests targeting proxy endpoints
  • Use intrusion detection systems (IDS) to identify patterns consistent with buffer overflow exploitation attempts
  • Deploy SentinelOne Singularity platform for behavioral detection of memory corruption exploitation and anomalous process behavior

Monitoring Recommendations

  • Enable detailed Apache logging including request headers and sizes for forensic analysis
  • Monitor system-level metrics for Apache processes including memory usage, CPU spikes, and unexpected process restarts
  • Implement network traffic analysis to detect unusual patterns in traffic destined for uWSGI proxy configurations
  • Configure alerting for Apache process crashes or restarts that may indicate exploitation attempts

How to Mitigate CVE-2020-11984

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.45 or later, which contains the fix for this vulnerability
  • If immediate patching is not possible, disable mod_proxy_uwsgi if it is not required for operations
  • Implement network segmentation to limit exposure of vulnerable Apache instances
  • Deploy a web application firewall (WAF) to filter potentially malicious requests

Patch Information

Apache Software Foundation has released Apache HTTP Server version 2.4.46 which addresses this vulnerability. Organizations should update to version 2.4.46 or later to remediate CVE-2020-11984. Patches are also available through various Linux distribution channels including Ubuntu, Debian, Fedora, and openSUSE. Refer to the Apache HTTP Server Vulnerabilities page for official patch information. Additional vendor-specific patches are available from Oracle, NetApp, and Gentoo.

Workarounds

  • Disable mod_proxy_uwsgi module if uWSGI proxying functionality is not required by running a2dismod proxy_uwsgi
  • Implement strict input validation at the network perimeter using a WAF or reverse proxy that can filter oversized requests
  • Restrict access to uWSGI proxy endpoints to trusted networks only using Apache access controls or firewall rules
  • Consider using alternative proxy modules such as mod_proxy_http with a uWSGI HTTP connector as a temporary measure
bash
# Disable mod_proxy_uwsgi on Debian/Ubuntu systems
sudo a2dismod proxy_uwsgi
sudo systemctl restart apache2

# Verify module is disabled
apache2ctl -M | grep uwsgi

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechApache
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability75.35%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-120
  • Technical References
  • openSUSE Security Announcement
  • openSUSE Security Announcement
  • Packet Storm Exploit Analysis
  • Openwall OSS-Security Discussion
  • Openwall OSS-Security Discussion
  • Openwall OSS-Security Discussion
  • Openwall OSS-Security Discussion
  • Openwall OSS-Security Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Apache Mailing List Discussion
  • Debian LTS Announcement
  • Fedora Package Announcement
  • Fedora Package Announcement
  • Gentoo GLSA 202008-04
  • NetApp Security Advisory
  • Ubuntu Security Notice
  • Debian Security Advisory
  • Oracle CPU January 2021
  • Oracle CPU October 2020
  • Vendor Resources
  • Openwall OSS-Security Discussion
  • Apache HTTP Server Vulnerabilities
  • Related CVEs
  • CVE-2016-15057: Apache Continuum RCE Vulnerability
  • CVE-2025-67895: Apache Airflow Edge3 Provider RCE Flaw
  • CVE-2025-58098: Apache HTTP Server SSI RCE Vulnerability
  • CVE-2025-53192: Apache Commons OGNL RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English