A vulnerability in the Apache HTTP server which allows users to write and run scripts in order to gain root on Unix systems was patched in Apache httpd 2.4.39 release.

According to the changelog which was tracked as CVE-2019-0211, all Apache HTTP Server releases were impacted, starting from 2.4.17 to 2.4.38. Additionally, the execution of arbitrary code through scoreboard manipulation has also been made possible.

As the web server is employed for running shared hosting instances, Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, emphasized on the seriousness of the issue in a Twitter post he made about CVE-2019-0211 security issue.

Users with few permissions on the server would now be able to extend the privileges by making the use of scripts which run commands on defenseless Apache servers as root, Cox further explained.

Along with this major flaw, two other control bypass security vulnerabilities were also patched with the Apache HTTP Server 2.4.39 release.

Besides these three, the latest Apache httpd release also fixed three less severe flaws which potentially could have led to normalization inconsistency issues and crashes.

The privilege escalation vulnerability of significant severity was reported by a security engineer on February 22 along with a response and reportedly a fix have been provided by Apache on March 7.