oss-sec mailing list archives
CVE-2019-0215: mod_ssl access control bypass
From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:27 -0500
CVE-2019-0215: mod_ssl access control bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.27 to 2.4.38 Description: In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. Mitigation: This issue can be mitigated by disabling the TLSv1.3 protocol for a VirtualHost which requires per-location or per-directory client certificate authentication. Credit: The issue was discovered by Michael Kaufmann. References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2019-0215: mod_ssl access control bypass Daniel Ruggeri (Apr 02)