CVE-2020-1927 Overview
CVE-2020-1927 is an open redirect vulnerability [CWE-601] in Apache HTTP Server versions 2.4.0 through 2.4.41. The flaw affects mod_rewrite configurations that produce self-referential redirects. Attackers can craft URLs containing encoded newline characters to bypass the self-reference check and force redirection to an arbitrary URL within the request URL. The issue is reachable over the network and requires user interaction, typically through a malicious link.
Critical Impact
Attackers can leverage trusted Apache-hosted domains to redirect victims to attacker-controlled URLs, enabling phishing campaigns, credential theft, and malware delivery against users who trust the originating site.
Affected Products
- Apache HTTP Server 2.4.0 through 2.4.41
- Debian Linux 9.0, 10.0; Canonical Ubuntu 16.04 ESM, 18.04 LTS, 20.04 LTS; Fedora 31, 32; openSUSE Leap 15.1
- Oracle Communications Element Manager, Session Report Manager, Session Route Manager (8.1.1, 8.2.0, 8.2.1); Oracle Enterprise Manager Ops Center 12.4; Oracle ZFS Storage Appliance Kit 8.8; NetApp OnCommand Unified Manager; Broadcom Brocade Fabric OS
Discovery Timeline
- 2020-04-02 - CVE-2020-1927 published to NVD
- 2020-04-03 - Coordinated disclosure via Openwall oss-security mailing list
- 2020-04-13 - NetApp publishes security advisory NTAP-20200413-0002
- 2020-07 - Oracle includes fix in July 2020 Critical Patch Update
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-1927
Vulnerability Analysis
The vulnerability is classified as a URL Redirection to Untrusted Site, commonly known as an Open Redirect [CWE-601]. The defect resides in how mod_rewrite validates redirect targets when administrators write rules intended to redirect requests back to the same host. The mod_rewrite module performs a self-reference check on the target URL, but the check does not account for encoded control characters embedded in the request path. As a result, a redirect that an operator configured to stay within their domain can be coerced into emitting a Location header pointing to a foreign URL.
Because the redirect is generated by the trusted server, browsers and security tooling treat the response as originating from the legitimate site. This allows social engineering attacks to abuse the host's reputation and TLS certificate.
Root Cause
The root cause is improper input validation of encoded newline characters (%0A and related sequences) within request URLs processed by mod_rewrite. When a rewrite rule constructs a redirect target using captured portions of the request URL, the encoded newline causes the parser to truncate or reinterpret the destination so that the self-reference test passes while the emitted Location value contains attacker-controlled content. The fix in Apache 2.4.42 hardens URL parsing in mod_rewrite so encoded newlines are rejected or normalized before the redirect target is evaluated.
Attack Vector
Exploitation requires an attacker to deliver a crafted URL to a victim, for example through a phishing email, malicious advertisement, or chat message. The URL targets a vulnerable Apache host that uses mod_rewrite rules constructing redirects from the request URL. The crafted path includes an encoded newline followed by an attacker-controlled URL fragment. When the victim's browser follows the link, the Apache server returns a 3xx response with a Location header pointing to the attacker's destination. The victim is redirected away from the trusted domain without warning. No authentication is required and the attack works against any user who clicks the link.
The vulnerability is described in prose only as no verified public proof-of-concept code is referenced in the advisory data. See the Apache HTTPD Vulnerabilities advisory for vendor details.
Detection Methods for CVE-2020-1927
Indicators of Compromise
- Access log entries containing %0a, %0d, %0A, or %0D sequences within request URIs that match RewriteRule patterns
- Outbound 302 or 301 responses where the Location header host differs from the server's canonical hostname
- Spikes in redirect responses tied to specific RewriteRule patterns, especially those using $1 or %{REQUEST_URI} capture references
- Referrer logs on downstream phishing infrastructure showing the vulnerable Apache host as the source
Detection Strategies
- Query web server access logs for URI patterns matching the regular expression %0[aAdD] and correlate with non-2xx response codes
- Inspect mod_rewriteRewriteLog or LogLevel rewrite:trace output for substitutions where the post-rewrite target host does not equal the server name
- Run version inventory across the fleet using httpd -v or package manager queries to identify Apache builds at or below 2.4.41
- Deploy web application firewall rules that reject requests containing raw or doubly encoded CR/LF in the path component
Monitoring Recommendations
- Forward Apache access_log and error_log to a centralized SIEM or data lake and alert on suspicious redirect chains leaving the trusted domain
- Monitor egress URL reputation for hosts referenced in Location headers emitted by internal Apache servers
- Track mod_rewrite rule changes in configuration management to identify rules that derive redirect targets from user-supplied input
How to Mitigate CVE-2020-1927
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.42 or later on all affected hosts
- Apply distribution patches for Debian (DSA-4757), Ubuntu (USN-4458-1), Fedora, and openSUSE as listed in the vendor advisories
- Apply Oracle Critical Patch Updates (July 2020 and April 2021) for affected Oracle Communications and Enterprise Manager products
- Audit all RewriteRule directives that construct redirect URLs from %{REQUEST_URI}, %{QUERY_STRING}, or backreferences
Patch Information
The upstream fix is included in Apache HTTP Server 2.4.42, released April 2020. Refer to the Apache HTTPD 2.4 Vulnerabilities page for the official advisory, the NetApp Security Advisory for OnCommand products, the Debian Security Announcement DSA-4757, and the Ubuntu Security Notice USN-4458-1.
Workarounds
- Rewrite affected rules to use absolute server-controlled targets rather than reflecting %{REQUEST_URI} or captured groups into the substitution
- Add a RewriteCond that rejects requests containing %0A or %0D in the URI before redirect rules execute
- Place a reverse proxy or WAF in front of Apache that normalizes URLs and strips control characters
# Configuration example: block encoded newlines before rewrite-based redirects
RewriteEngine On
RewriteCond %{THE_REQUEST} (\\x0A|\\x0D|%0A|%0D) [NC]
RewriteRule .* - [F,L]
# Then existing self-referential rules
RewriteRule ^/old/(.*)$ /new/$1 [R=301,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
