A privilege escalation vulnerability of important severity in the Apache HTTP server allowing users with the right to write and run scripts to gain root on Unix systems was fixed in Apache httpd 2.4.39. As detailed in the
changelog, tracked as
CVE-2019-0211, impacts all Apache HTTP Server releases from 2.4.17 to 2.4.38 and it makes it possible to execute arbitrary code via scoreboard manipulation.
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, explained in a Twitter post that the CVE-2019-0211 security issue patched in httpd 2.4.39 is particularly serious when the web server is used for running shared hosting instances, and if some of the users with script writing permissions are untrusted.