Описание
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | released | 2.4.64-1ubuntu2 |
| esm-infra-legacy/trusty | needs-triage | |
| esm-infra/bionic | released | 2.4.29-1ubuntu4.27+esm6 |
| esm-infra/focal | released | 2.4.41-4ubuntu3.23+esm2 |
| esm-infra/xenial | released | 2.4.18-2ubuntu3.17+esm16 |
| jammy | released | 2.4.52-1ubuntu4.15 |
| noble | released | 2.4.58-1ubuntu8.7 |
| plucky | released | 2.4.63-1ubuntu1.1 |
| questing | released | 2.4.64-1ubuntu2 |
| upstream | released | 2.4.64-1 |
Показывать по
EPSS
7.5 High
CVSS3
Связанные уязвимости
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP ...
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
EPSS
7.5 High
CVSS3