oss-sec mailing list archives
CVE-2019-0217: mod_auth_digest access control bypass
From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:24 -0500
CVE-2019-0217: mod_auth_digest access control bypass Severity: important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.38 Description: In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. Mitigation: All httpd users deploying mod_auth_digest should upgrade to 2.4.39 or later. Credit: The issue was discovered by Simon Kappel. References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2019-0217: mod_auth_digest access control bypass Daniel Ruggeri (Apr 02)