Описание
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
CloudForms Management Engine 5 | httpd | Not affected | ||
Red Hat Enterprise Linux 5 | httpd | Not affected | ||
Red Hat Enterprise Linux 6 | httpd | Not affected | ||
Red Hat JBoss Enterprise Application Platform 5 | httpd | Not affected | ||
Red Hat JBoss Enterprise Application Platform 6 | httpd | Not affected | ||
Red Hat JBoss Enterprise Web Server 2 | httpd | Not affected | ||
Red Hat JBoss Web Server 3 | httpd | Not affected | ||
JBoss Core Services on RHEL 6 | jbcs-httpd24-apr | Fixed | RHSA-2019:3932 | 20.11.2019 |
JBoss Core Services on RHEL 6 | jbcs-httpd24-apr-util | Fixed | RHSA-2019:3932 | 20.11.2019 |
JBoss Core Services on RHEL 6 | jbcs-httpd24-brotli | Fixed | RHSA-2019:3932 | 20.11.2019 |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks ...
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Уязвимость модуля mod_session веб-сервера Apache HTTP Server, связанная с отсутствием учета времени жизни сеанса, позволяющая нарушителю оказать воздействие на целостность защищаемых данных
5.4 Medium
CVSS3