CVE-2019-0217 - Race Conditions vulnerability in multiple products

Publication

2019-04-08

Last modification

2019-05-14

Summary

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Description

Apache HTTP Server is prone to an authentication bypass vulnerability. An attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. Apache HTTP Server 2.4 through 2.4.38 are vulnerable.

Solution

Updates are available. Please see the references or vendor advisory for more information.

Exploit

Currently, we are not aware of any working exploits.

Classification

CWE-362 - Race Conditions

Risk level (CVSS AV:N/AC:M/Au:S/C:P/I:P/A:P)

Medium

6.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None