CVE-2019-0217
08.04.2019, 21:29
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| apache | http_server | 2.4.0 ≤ 𝑥 ≤ 2.4.38 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 18.10 |
| redhat | enterprise_linux | - |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| opensuse | leap | 15.0 |
| opensuse | leap | 42.3 |
| netapp | oncommand_unified_manager | - |
| netapp | clustered_data_ontap | - |
| oracle | enterprise_manager_ops_center | 12.3.3 |
| oracle | enterprise_manager_ops_center | 12.4.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | retail_xstore_point_of_service | 7.0 |
| oracle | retail_xstore_point_of_service | 7.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| apache2 |
| ||||||||||||||||||||||||||
| apache2-devel |
| ||||||||||||||||||||||||||
| apache2-doc |
| ||||||||||||||||||||||||||
| apache2-example-pages |
| ||||||||||||||||||||||||||
| apache2-prefork |
| ||||||||||||||||||||||||||
| apache2-utils |
| ||||||||||||||||||||||||||
| apache2-worker |
|
Red Hat Enterprise Linux Releases
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| httpd |
| ||
| httpd-debuginfo |
| ||
| httpd-devel |
| ||
| httpd-filesystem |
| ||
| httpd-manual |
| ||
| httpd-tools |
| ||
| httpd24 |
| ||
| httpd24-debuginfo |
| ||
| httpd24-devel |
| ||
| httpd24-manual |
| ||
| httpd24-tools |
| ||
| mod24_ldap |
| ||
| mod24_md |
| ||
| mod24_proxy_html |
| ||
| mod24_session |
| ||
| mod24_ssl |
| ||
| mod_ldap |
| ||
| mod_md |
| ||
| mod_proxy_html |
| ||
| mod_session |
| ||
| mod_ssl |
|
References