Probably a stupid question, but are the version #'s mentioned here ( "From version 2.4.17 (Oct 9, 2015) to version 2.4.38 (Apr 1, 2019), Apache HTTP suffers from a local root privilege escalation vulnerability due to an out-of-bounds array access leading to an arbitrary function call." ) the only ones affected, or is it possible earlier versions are affected as well?
Also, I just want to throw out there that the name of this one is great:
"Why the name ?
CARPE: stands for CVE-2019-0211 Apache Root Privilege Escalation
DIEM: the exploit triggers once a day
> but are the version #'s mentioned here ... the only ones affected
Usually when a range like that is given, yes.
> From version 2.4.17 (Oct 9, 2015) to version 2.4.38 (Apr 1, 2019)
This case implies that they know the bug was introduced in a particular change, which went public with version 2.4.17 and was either fixed or otherwise mitigated in 2.4.38.
The only earlier or other versions that I would expect to see affected are dev/alpha/beta branches.
Basically they don't consider the engineer exploiting the interpreter to be a security vulnerability. That seems a bit dubious, but I can see where they are coming from in treating the script author as a trusted party.
