Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-17199

Опубликовано: 22 янв. 2019
Источник: redhat
CVSS3: 5.4

Описание

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5httpdNot affected
Red Hat Enterprise Linux 5httpdNot affected
Red Hat Enterprise Linux 6httpdNot affected
Red Hat JBoss Enterprise Application Platform 5httpdNot affected
Red Hat JBoss Enterprise Application Platform 6httpdNot affected
Red Hat JBoss Enterprise Web Server 2httpdNot affected
Red Hat JBoss Web Server 3httpdNot affected
JBoss Core Services on RHEL 6jbcs-httpd24-aprFixedRHSA-2019:393220.11.2019
JBoss Core Services on RHEL 6jbcs-httpd24-apr-utilFixedRHSA-2019:393220.11.2019
JBoss Core Services on RHEL 6jbcs-httpd24-brotliFixedRHSA-2019:393220.11.2019

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-613
https://bugzilla.redhat.com/show_bug.cgi?id=1668493httpd: mod_session_cookie does not respect expiry time

5.4 Medium

CVSS3

Связанные уязвимости

CVSS3: 7.5
ubuntu
больше 6 лет назад

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

CVSS3: 7.5
nvd
больше 6 лет назад

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

CVSS3: 7.5
debian
больше 6 лет назад

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks ...

CVSS3: 7.5
github
около 3 лет назад

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

CVSS3: 7.5
fstec
почти 7 лет назад

Уязвимость модуля mod_session веб-сервера Apache HTTP Server, связанная с отсутствием учета времени жизни сеанса, позволяющая нарушителю оказать воздействие на целостность защищаемых данных

5.4 Medium

CVSS3