In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Apache HTTP Server is prone to an authentication bypass vulnerability. An attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. Apache HTTP Server 2.4 through 2.4.38 are vulnerable.
Updates are available. Please see the references or vendor advisory for more information.
Currently, we are not aware of any working exploits.