Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-3167

Опубликовано: 20 июн. 2017
Источник: redhat
CVSS3: 7.4
EPSS Низкий

Описание

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5httpdWill not fix
Red Hat JBoss Enterprise Application Platform 5jbossasNot affected
Red Hat JBoss Enterprise Application Platform 6jbossasWill not fix
Red Hat JBoss Enterprise Web Server 1httpdWill not fix
Red Hat JBoss Enterprise Web Server 2httpdWill not fix
Red Hat JBoss Enterprise Web Server 3httpdFix deferred
JBoss Core Services on RHEL 6jbcs-httpd24-httpdFixedRHSA-2017:347715.12.2017
JBoss Core Services on RHEL 6jbcs-httpd24-mod_bmxFixedRHSA-2017:347715.12.2017
JBoss Core Services on RHEL 6jbcs-httpd24-mod_cluster-nativeFixedRHSA-2017:347715.12.2017
JBoss Core Services on RHEL 7jbcs-httpd24-httpdFixedRHSA-2017:347615.12.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-287
https://bugzilla.redhat.com/show_bug.cgi?id=1463194httpd: ap_get_basic_auth_pw() authentication bypass

EPSS

Процентиль: 92%
0.0944
Низкий

7.4 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-3167

CVSS3: 9.8
ubuntu
больше 8 лет назад

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

nvd логотип

CVE-2017-3167

CVSS3: 9.8
nvd
больше 8 лет назад

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

debian логотип

CVE-2017-3167

CVSS3: 9.8
debian
больше 8 лет назад

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of th ...

github логотип

GHSA-9mgw-4qp5-wrrj

CVSS3: 9.8
github
больше 3 лет назад

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

fstec логотип

BDU:2017-02153

CVSS3: 9.8
fstec
почти 9 лет назад

Уязвимость функции ap_get_basic_auth_pw() веб-сервера Apache HTTP Server, позволяющая нарушителю обойти требования аутентификации

EPSS

Процентиль: 92%
0.0944
Низкий

7.4 High

CVSS3