Vulnerability CVE-2019-0215


Published: 2019-04-08

Description:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

Type:

CWE-284

(Improper Access Control)

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6/10
6.4/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Fedoraproject -> Fedora 
Apache -> Http server 

 References:
http://www.openwall.com/lists/oss-security/2019/04/02/4
http://www.securityfocus.com/bid/107667
https://access.redhat.com/errata/RHSA-2019:0980
https://httpd.apache.org/security/vulnerabilities_24.html
https://lists.apache.org/thread.html/2d6bd429a0ba9af1580da896575cfca6e42bb05e7536562d4b095fcf@%3Ccvs.httpd.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
https://security.netapp.com/advisory/ntap-20190423-0001/
https://support.f5.com/csp/article/K59440504

Copyright 2020, cxsecurity.com

 

Back to Top