Описание
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Отчет
Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Меры по смягчению последствий
This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 6 | httpd | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Out of support scope | ||
| Red Hat Virtualization 4 | rhvm-appliance | Not affected | ||
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr | Fixed | RHSA-2019:3932 | 20.11.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr-util | Fixed | RHSA-2019:3932 | 20.11.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-brotli | Fixed | RHSA-2019:3932 | 20.11.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-curl | Fixed | RHSA-2019:3932 | 20.11.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-httpd | Fixed | RHSA-2019:3932 | 20.11.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-jansson | Fixed | RHSA-2019:3932 | 20.11.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition i ...
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Уязвимость компонента mod_auth_digest веб-сервера Apache HTTP Server, позволяющая нарушителю проходить аутентификацию, используя другое имя пользователя
EPSS
7.1 High
CVSS3